WPA Certificate Question

Mike Diggins mike.diggins at McMaster.CA
Sun Jan 31 16:53:18 CET 2010


On Sun, 31 Jan 2010, Fajar A. Nugraha wrote:

> On Sun, Jan 31, 2010 at 12:09 PM, Mike Diggins <mike.diggins at mcmaster.ca> wrote:
>>>> Why self signed versus CA signed? Ideally I would like my clients to not
>>>> be questioned about the certificate at all. Is that even possible with WPA?
>>>> If I purchase a CA signed cert, would that eliminate the requirement on the
>>>> client to acknowledge the certificate or import it?
>
>>>
>>> It would also mean that anyone could go to the same CA, get a client
>>> certificate and would be able to login to your wireless network. Not really
>>> ideal IMHO ;)
>
>> But I don't plan on distributing client certificates for authentication. I
>> intend for them to login with a username and password checked against my
>> Radius server, so I'm not sure what role the certificate plays in that
>> process?
>
> I think the recommendation made perfect sense when you require client
> certificate, like when deploying EAP/TLS. If you intend to use EAP as
> a secure tunnel only, and login with user/password (like with
> PEAPv1/EAP-GTC), using a CA-signed cert might make more sense.


In the Windows WPA setup screen, Protected EAP Properties, there are 
options to "Validate server certificate", and "Connect to these servers". 
Do I specify my two Radius servers there? My clients don't have direct 
access to my Radius servers, so what actually happens when I enter them 
here? Does it just compare the FQDN to the one on the certificate that is 
presented during the login?

-Mike




More information about the Freeradius-Users mailing list