Complex eduroam radius design

Phil Mayers p.mayers at imperial.ac.uk
Thu Nov 15 11:47:07 CET 2012


On 11/14/2012 06:54 PM, Brian Julin wrote:
>
>
>> Phil Mayers wrote:
>>
>> Yes. However, buying separate certs might not be a good idea as it will
>> complicate the client setup - they'll all have to come from the same CA
>> and share the same CN (or you'll have to rely on wildcard CN matching on
>> the clients).
>
> Has that actually been tested to work  across the gallery of clients?  It is

No. Hence my suggestion that it "might not be a good idea" ;o)

> my impression that a lot of clients (e.g. IOS) will just barf on any certificate
> that isn't the first one it encountered on an SSID, unless and until the
> user gets frustrated and reconfigures.
>
> Not that I think running multiple certs offers any real benefit.  Perhaps
> for transitional purposes when expiry dates come up.

About the only real use-case I can think of for multiple certs is a 
desire to use a hardware crypto module for "security" i.e. prevent key 
exposure.


More information about the Freeradius-Users mailing list