Distributing Certificates

Mark Holmes mark.holmes at nuffield.ox.ac.uk
Fri Jan 20 09:16:55 CET 2012


>Your problem is going to be >distributing the server cert to the >clients NOT distributing client

Maybe I've missed something here, but why will he need to distribute a cert to clients?

If the certificate you use on your RADIUS server is signed by a known CA-in which case the client should already have the relevant root certificate and so will trust the certificate presented by the server.

This is assuming he is using certificates for confirming identity of the server, not for EAP-TLS etc.

Cheers,

Mark



On 6 Jan 2012, at 21:43, "Sallee, Stephen (Jake)" <Jake.Sallee at umhb.edu> wrote:

> It may be a misunderstanding on my part but I believe any encrypted protocol would need a cert of some sort.  PEAP is an encrypted tunnel thus you will need a cert.  FR will generate its own certs for testing but for production you should generate your own.  We are making the move to 802.1x in the next few months and will be using a self-signed cert on the FR server and deploying it to the users' machines via a third party tool from a company called cloud path.
>
> Suffice it to say that windows Vista and beyond MUST have the server cert installed or be configured to ignore server certs before you can use any encrypted protocol (such as, PEAP).  It WILL NOT work out-of-the-box!  XP would show you a dialogue box with a warning but that functionality is gone in Vista and 7.
>
> MAC OS and Linux will still allow you to download the cert and install it on first use, windows will not.
>
> Your problem is going to be distributing the server cert to the clients NOT distributing client certs (unless you are using EAP/TLS or the like), as mentioned before AD makes this easy via GPO / login scripts.  However if you clients are not part of your domain then you have very few choices.
>
> 1) Roll your own program to install the cert for them
> 2) Buy a solution to install the cert (like cloud path)
> 3) issue instructions to the clients and have them install the certs manually
> 4) go around and install all the certs your self
>
> There a pros and cons for each.  BTW for security reasons you should use a self-signed cert, that being the case you can make the cert valid for 99 years, then revoke it when you have time to redistribute them ; )
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> 900 College St.
> Belton, Texas
> 76513
> Fone: 254-295-4658
> Phax: 254-295-4221
>
>
> -----Original Message-----
> From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] On Behalf Of McSparin, Joe
> Sent: Friday, January 06, 2012 3:07 PM
> To: FreeRadius users mailing list
> Subject: RE: Distributing Certificates
>
> I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match.  I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message.  I thought that FreeRadius had to have certificates set up even if they were just example ones.  Radiusd -X runs bootstrap which creates example certificates automatically.  This led me to believe that certificates were somehow integral to 802.1x.  Is that not the case?  If so how can you take certificates completely out of the equation?
>
>
> Joseph R. McSparin
> Network Administrator
> Hill Country Memorial Hospital
> 830 990 6638 phone
> 830 990 6623 fax
> jmcsparin at hillcountrymemorial.org
>
> -----Original Message-----
> From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org at lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org at lists.freeradius.org] On Behalf Of David Mitton
> Sent: Friday, January 06, 2012 12:44 PM
> To: freeradius-users at lists.freeradius.org
> Subject: RE: Distributing Certificates
>
> You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for?
> 802.1X doesn't "require" certificates... but you may want to use them depending on what you are trying to do.
>
> Dave.
>
>
> Quoting "Danner, Mearl" <jmdanner at samford.edu>:
>
>> If you are using AD and have a CA set up you can create
>> autoenrollment gpo's for domain attached machines. You can issue
>> either user or computer certs. Can also configure the Windows
>> wireless supplicant via gpo.
>>
>> Mearl
>>
>> From:
>> freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org
>> [mailto:freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org]
>> On Behalf Of McSparin, Joe
>> Sent: Friday, January 06, 2012 10:18 AM
>> To: FreeRadius users mailing list
>> Subject: Distributing Certificates
>>
>> Now that I have my Radius server configured I need to begin
>> implementation I have 600 computers that will be using it.  The
>> question I am wondering is do I have to go around and install a
>> certificate on every one of the computers and then maintain that
>> every year changing out the certificate on 600 computers or is there
>> some way that the server passes out certificates when the machine
>> logs on.  Or do I have an incorrect understanding of how to
>> implement 802.1x security.
>> Joseph R. McSparin
>> Network Administrator
>> Hill Country Memorial Hospital
>> 830 990 6638 phone
>> 830 990 6623 fax
>> jmcsparin at hillcountrymemorial.org
>>
>> ________________________________________
>> This email message and any attachments are for the sole use of the
>> intended recipient(s) and contain confidential and/or privileged
>> information. Any unauthorized review, use, disclosure or
>> distribution is prohibited. If you are not the intended recipient,
>> please contact the sender by reply email and destroy all copies of
>> the original message and any attachments.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> --
> This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF




More information about the Freeradius-Users mailing list