Generating a Microsoft compatible CSR for FreeRADIUS

Sallee, Stephen (Jake) Jake.Sallee at umhb.edu
Thu Jan 20 20:43:22 CET 2011 

>> I know the docs also say that it is not best practices to use a 
>> publicly signed cart because ANYONE can auth against the server, 
>> however since I am in a position where almost all of the computers 
>> will NOT be managed by our staff (they are student workstations)  a public cert seems perfect.

  >It's not a good idea because anyone can pretend to be the server, too.

Hmmm. I hadn't thought of that attack vector, kind of like a man-in-the-middle attack, but isn't that what the private key is for, to prevent just that?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-----Original Message-----
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Thursday, January 20, 2011 1:13 PM
To: FreeRadius users mailing list
Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS

Sallee, Stephen (Jake) wrote:
> The documentation mentions special OID’s that need to be present for 
> MS machines to accept the cert, but I can’t find WHAT those OID’s are 
> so I can make sure I include them in the CSR.

  See the files in raddb/certs, or read eap.conf.  It's all there.

> I know the docs also say that it is not best practices to use a 
> publicly signed cart because ANYONE can auth against the server, 
> however since I am in a position where almost all of the computers 
> will NOT be managed by our staff (they are student workstations)  a public cert seems perfect.

  It's not a good idea because anyone can pretend to be the server, too.

> If anyone has another route that will allow me to auth windows clients 
> without having to manually install certs and/or manually configuring 
> the wireless adapters I would be very grateful to hear your suggestions.

  Not much.  Blame Microsoft for not making it easy.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list