A.L.M.Buxey at lboro.ac.uk
Fri Jan 20 15:36:37 CET 2012
> If you're using a private CA for signing the radius server certs, which
> is generally cited as best practice because it provides belt & braces;
> in the event a client does not learn & subsequently re-check the cert
> CN, a public CA would allow an attacker to impersonate your SSID. A
> private CA does not.
> Some people (us included) choose to use a public CA and accept the risk,
> in return for significantly easier deployment.
-under full control of organisation
-the organisation only can sign servers
-for 802.1X your clients only need to trust your server - closed loop. so why use public?
-CA management - skillset, can someone do the same in X years?
-distribution of the CA to the client
-most clients have the CA already present
-no need to learn about CA/PKI to such low level
-under whims of the CA and their issues (recall the dutch CAs now revoked and now invalid)
-under whims of the remote CA policy (changing from being a root to intermediate)
-anyone can buy a certificate from a CA
-distribution - some CAs arent on clients..so you need to distribute it anyway
CA distribution was always the issue for private CA - but most sites now go for
using a deployment tool of some kind to get clients set up - and all of them can deal with
installing a CA, so thats a problem gone. the system is closed-loop, visitors never need to
trust your RADIUS server cert...only your own folk do - so why use public in this space?
More information about the Freeradius-Users