WPA Certificate Question

Fajar A. Nugraha fajar at fajar.net
Sun Jan 31 09:37:25 CET 2010


On Sun, Jan 31, 2010 at 12:09 PM, Mike Diggins <mike.diggins at mcmaster.ca> wrote:
>>> Why self signed versus CA signed? Ideally I would like my clients to not
>>> be questioned about the certificate at all. Is that even possible with WPA?
>>> If I purchase a CA signed cert, would that eliminate the requirement on the
>>> client to acknowledge the certificate or import it?

>>
>> It would also mean that anyone could go to the same CA, get a client
>> certificate and would be able to login to your wireless network. Not really
>> ideal IMHO ;)

> But I don't plan on distributing client certificates for authentication. I
> intend for them to login with a username and password checked against my
> Radius server, so I'm not sure what role the certificate plays in that
> process?

I think the recommendation made perfect sense when you require client
certificate, like when deploying EAP/TLS. If you intend to use EAP as
a secure tunnel only, and login with user/password (like with
PEAPv1/EAP-GTC), using a CA-signed cert might make more sense.

-- 
Fajar



More information about the Freeradius-Users mailing list