Generating a Microsoft compatible CSR for FreeRADIUS
Christ Schlacta
lists at aarcane.org
Fri Jan 21 01:05:53 CET 2011
2 issues
1) is there a listing somewhere of all OIDs and what they all mean to
windows (XP) ?
2) Issuing client certs isn't that difficult. with windows vista/7,
installing a cert is a simple double-click operation, so if they have a usb
flash, you can use linux to zip a copy of their private key and a .doc with
instructions (including screenies!) on configuring their OS in a matter of
seconds, all they have to do is stop by IT to request a key once, and it's
good for as long as you honour it.
On Thu, Jan 20, 2011 at 3:10 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
> > > To clarify, they can pretend to be a valid server, because *anyone*
> signed by Verisign is a valid server.
> >
> > > To go one step further, they can have verisign sign a CA, and then use
> that CA to create *any* certificate they want,
> > > including one which pretends to be your server. Most users won't
> bother reading the entire certificate chain.
> > > They'll just see "mit.edu" (or >whatever) and click "OK".
> >
> > Ahh , I see what you mean. Thank you for the clarification. The masses
> of undereducated and/or apathetic users out there are the biggest challenges
> facing IT pros.
>
> aye. this is why a self-signed cert can be beneficial...its a closed-loop
> system
> then - only your own users ever authenticate against your server (ie use
> the
> SSL cert to create an EAP tunnel to do things) - external users/visitors
> would
> be proxied off to their home site (eg if using eduroam) - so you dont need
> to
> worry about them getting the CA onto their system.
>
> you can shore things up a bit by ensuring that the clients are configured
> to
> only trust the CA you've chosen...and filled in the RADIUS server name
> (well,
> its CN from the SSL cert it provides when making the tunnel). but, once
> again, thats getting things done right... most users with most OS's will
> just click on the SSID and fill in basic details when prompted (I guess
> at least a lot of pain is now gone from 802.1X network connections....quick
> and dirty).
>
> PS dealing with public CA's isnt always so clear cut and quick - sometimes
> the OS needs to be updated/patched before the CA is available...or updated
> CA is supplied...and sometimes the train of trust changes so what was a CA
> becomes an intermediary etc - so you have to deal with those cases too.
>
> PS as already said, the extensions you need are documented and provided
> in the 'xpextensions' file - they're basically how windows decides
> 'purpose'
> of the cert. tiresome really.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110120/bac00f10/attachment.html>
More information about the Freeradius-Users
mailing list