Complex eduroam radius design

Brian Julin BJulin at clarku.edu
Wed Nov 14 19:54:24 CET 2012



> Phil Mayers wrote:
> 
> Yes. However, buying separate certs might not be a good idea as it will
> complicate the client setup - they'll all have to come from the same CA
> and share the same CN (or you'll have to rely on wildcard CN matching on
> the clients).

Has that actually been tested to work  across the gallery of clients?  It is
my impression that a lot of clients (e.g. IOS) will just barf on any certificate
that isn't the first one it encountered on an SSID, unless and until the
user gets frustrated and reconfigures.

Not that I think running multiple certs offers any real benefit.  Perhaps
for transitional purposes when expiry dates come up.

(Note: this behavior, while not completely secure, is probably as secure as
one could expect on a ...ehem... "BYOD" network with a nonconforming user
base, and is certainly superior to Android which will trust anything you
hand it.)

(Oh, also,  if anyone wants to play with clients in a test environment
by sending them strange certificates at inopportune times, I left
some code on github at skids/freeradius-server/tree/clientverify.
It is too ugly to propose as a serious patch, though.)





More information about the Freeradius-Users mailing list