distributed authentification scheme advice needed
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Sep 28 12:21:19 CEST 2011
On 28 Sep 2011, at 12:11, Zeus V Panchenko wrote:
> thanks for quick reply
>
> Arran Cudbard-Bell (a.cudbardb at freeradius.org) [11.09.28 08:28] wrote:
>>
>> Yes, home server pools let you specify a 'fallback' home server
>> which can point to a virtual server. It should be working in v2.1.x
>> but is currently broken in 3.x.
>>
>> See proxy.conf for details.
>>
>
> if i have core.radius.my.domain as my primary radius server and
> fallback.radius.my.domain as radius installed on AP
>
> than i need in proxy.conf
>
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = core.radius.my.domain
> fallback = fallback.radius.my.domain
> }
>
> but than, I need configure EAP/TLS on fallback.radius.my.domain
> identical to core.radius.my.domain one, correct?
>
Correct.
> since without the same server certificates my clients will not be able
> authenticate with fallback.radius.my.domain
>
> am I correct?
Partially. If you're using your own CA, then you could just sign multiple sets of server certificates and trust your CA on the clients. Thats one of the neat things about the PKI model.
If you're using a commercial CA, then the cost of all those certificates might be prohibitive, and you should be using CN field checking, so yes you'd probably want to use the same certificates on all servers, even though it increases the risk of private key exposure.
-Arran
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
More information about the Freeradius-Users
mailing list