WPA Certificate Question
Peter Lambrechtsen
plambrechtsen at gmail.com
Sun Jan 31 03:39:29 CET 2010
On 31/01/2010, at 11:59 AM, Mike Diggins <mike.diggins at mcmaster.ca>
wrote:
>
> I was able to get freeradius 2.1.3 and wireless WPA working, likely
> due to the fact that FreeRadius was mostly configured for me
> (thanks ;) ). I’m a little confused about the certificate that is re
> quired in the process, and what the relationship is with the client,
> the Wireless Controller and the FreeRadius server. The README file
> states:
>
> “ In general, you should use self-signed certificates for 802.1x (EA
> P) authentication.”
>
> Why self signed versus CA signed? Ideally I would like my clients to
> not be questioned about the certificate at all. Is that even
> possible with WPA? If I purchase a CA signed cert, would that
> eliminate the requirement on the client to acknowledge the
> certificate or import it?
It would also mean that anyone could go to the same CA, get a client
certificate and would be able to login to your wireless network. Not
really ideal IMHO ;)
Hence why controlling your own CA, and managing the CRL or OCSP is the
only way to go if you want to properly maintain control over your
wireless or 802.1x wired network.
Minting certificates is pretty trvial depending on the CA software you
are using and importing a CA into every workstation is also easy using
the numerous tools available.
My preference is to use the "rootsupd" package and extract that out
and update the p7b with your own ca. Then get everyone to run that, or
use software distribution to get it out enterprise wide.
>
>
> -Mike
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list