Design question

Matthew Newton mcn4 at leicester.ac.uk
Fri Feb 3 02:23:49 CET 2012


On Thu, Feb 02, 2012 at 06:27:31PM -0600, Dan Letkeman wrote:
> On Thu, Feb 2, 2012 at 4:47 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> > That will work, but you shouldn't. Create a different certificate
> > for each client, and for the radius server, all signed by the same
> > CA.
> 
> This would be a nightmare to manage.  We have 2000+ clients.  I see
> the advantage, if the certificate was compromised that this would be
> important, but how in the world would you manage this?

This is probably the main argument people have against EAP-TLS -
managing certificates.

Yes, you _could_ put the same private key and certificate on one
device, but then when that key gets copied/compromised, when one
laptop gets stolen and you want it off your network, what do you
do? You've now got to update ALL your clients with a new key/cert,
rather than just revoke the key of the one that got compromised.

...and you probably have no clue where the key was copied from, so
which user to blame.

Looking at it the other way, would you let all your users log in
with the same username and password?

In short, don't.

If you've got a Windows domain you should be able to use Microsoft
Certificate Services to do it for you. At least, I think that's
what the guys here do. All clients automatically get a
certificate (I assume as part of the domain join procedure &
associated policy, but I'm not knowledgeable enough in that area to
be sure). I don't know if you can use that when not in a domain.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>



More information about the Freeradius-Users mailing list