Design question

NdK ndk.clanbo at gmail.com
Fri Feb 3 08:48:35 CET 2012


Il 03/02/2012 01:27, Dan Letkeman ha scritto:

>> That will work, but you shouldn't. Create a different certificate
>> for each client, and for the radius server, all signed by the same
>> CA.
> 
> This would be a nightmare to manage.  We have 2000+ clients.  I see
> the advantage, if the certificate was compromised that this would be
> important, but how in the world would you manage this?
The other method is worse, as Matthew said :)
Just email every user the cert to install together with the instructions
to do so.

Or you could evaluate joining machines to AD, then perform just machine
authentication or choose to do both machine auth and user auth so you
could place machines with no domain user logged in on a VLAN and
machines with specific domain users on another. This way local users can
only have "minimal" network access, while authenticated users can access
"reserved" portions of your network. And you can remotely manage
machines as soon as they're connected.

BYtE,
 Diego.



More information about the Freeradius-Users mailing list