Distributing Certificates

Francois Gaudreault fgaudreault at inverse.ca
Fri Jan 6 21:06:41 CET 2012


If you PCs are all Windows, and they are all member of an AD domain (or 
subdomains), use PEAP with machine auth (or machine+user auth).  It is 
much less painful than deploy 600 client certificates.

PEAP also works with Mac OSZ and Linux box using user authentication.

On 12-01-06 1:44 PM, David Mitton wrote:
> You can do such things as suggested... but you haven't articulated 
> what your goal is and what you will be using the certificates for?
> 802.1X doesn't "require" certificates... but you may want to use them 
> depending on what you are trying to do.
>
> Dave.
>
>
> Quoting "Danner, Mearl" <jmdanner at samford.edu>:
>
>> If you are using AD and have a CA set up you can create  
>> autoenrollment gpo's for domain attached machines. You can issue  
>> either user or computer certs. Can also configure the Windows  
>> wireless supplicant via gpo.
>>
>> Mearl
>>
>> From:  
>> freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org  
>> [mailto:freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org]  
>> On Behalf Of McSparin, Joe
>> Sent: Friday, January 06, 2012 10:18 AM
>> To: FreeRadius users mailing list
>> Subject: Distributing Certificates
>>
>> Now that I have my Radius server configured I need to begin  
>> implementation I have 600 computers that will be using it.  The  
>> question I am wondering is do I have to go around and install a  
>> certificate on every one of the computers and then maintain that  
>> every year changing out the certificate on 600 computers or is there 
>>  some way that the server passes out certificates when the machine  
>> logs on.  Or do I have an incorrect understanding of how to  
>> implement 802.1x security.
>> Joseph R. McSparin
>> Network Administrator
>> Hill Country Memorial Hospital
>> 830 990 6638 phone
>> 830 990 6623 fax
>> jmcsparin at hillcountrymemorial.org
>>
>> ________________________________________
>> This email message and any attachments are for the sole use of the  
>> intended recipient(s) and contain confidential and/or privileged  
>> information. Any unauthorized review, use, disclosure or  
>> distribution is prohibited. If you are not the intended recipient,  
>> please contact the sender by reply email and destroy all copies of  
>> the original message and any attachments.
>>
>> -
>> List info/subscribe/unsubscribe? See  
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>


-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)




More information about the Freeradius-Users mailing list