p.mayers at imperial.ac.uk
Fri Jan 20 11:48:51 CET 2012
On 01/20/2012 08:16 AM, Mark Holmes wrote:
>> Your problem is going to be>distributing the server cert to
>> the>clients NOT distributing client
> Maybe I've missed something here, but why will he need to distribute
> a cert to clients?
If you're using a private CA for signing the radius server certs, which
is generally cited as best practice because it provides belt & braces;
in the event a client does not learn & subsequently re-check the cert
CN, a public CA would allow an attacker to impersonate your SSID. A
private CA does not.
Some people (us included) choose to use a public CA and accept the risk,
in return for significantly easier deployment.
More information about the Freeradius-Users