Complex eduroam radius design
Phil Mayers
p.mayers at imperial.ac.uk
Thu Nov 15 11:47:07 CET 2012
On 11/14/2012 06:54 PM, Brian Julin wrote:
>
>
>> Phil Mayers wrote:
>>
>> Yes. However, buying separate certs might not be a good idea as it will
>> complicate the client setup - they'll all have to come from the same CA
>> and share the same CN (or you'll have to rely on wildcard CN matching on
>> the clients).
>
> Has that actually been tested to work across the gallery of clients? It is
No. Hence my suggestion that it "might not be a good idea" ;o)
> my impression that a lot of clients (e.g. IOS) will just barf on any certificate
> that isn't the first one it encountered on an SSID, unless and until the
> user gets frustrated and reconfigures.
>
> Not that I think running multiple certs offers any real benefit. Perhaps
> for transitional purposes when expiry dates come up.
About the only real use-case I can think of for multiple certs is a
desire to use a hardware crypto module for "security" i.e. prevent key
exposure.
More information about the Freeradius-Users
mailing list