Question on certificates before deep dive into EAP-TLS

Mathieu Simon mathieu.sim at
Fri Apr 12 07:42:41 CEST 2013


Am 11.04.2013 20:08, schrieb Alan DeKok:
> <snip!>
>> The real-life example would be that people could use PEAP-MSCHAPv2 for
>> credential-based logins (server certificate being signed by a "trusted"
>> external CA)
>   While that works, it's not recommended.  It means that the client will
> trust *any* certificate signed by that CA, for network access.
>   It's usually a bad idea.
Correct, that for sure isn't what I'd want :-)

certificate_file - the server-side certificate - would contain the
(and it's trust chain) by the "trusted" CA.

CA_file would only contain the internal CA, such as that only those signed
by the one internal CA IT has control over it, would be accepted by FR.
(oh and I'd want to have a regularly up-to-date revocation list...)
> <snip!>
>   You don't need one CA per EAP method.
Sure, I am only looking for the server-side certificate
(certificate_file) being
signed by a CA that most devices trust - since most of the users are
going to use
PEAP-MSCHAPv2 with devices not under direct controll of IT.

Telling students how to install a internal CA root isn't going to work,
it already
didn't work for teachers in the past ...

But allowing only (internal) devices with certs from the internal CA
through CA_file
would allow us to more easily integrate those non-personal but
school-owned devices.

I just hope I'm not telling complete bullshit... ;-)

Thank you Alan for your time to answer!

-- Mathieu

More information about the Freeradius-Users mailing list