Question on certificates before deep dive into EAP-TLS
mathieu.sim at gmail.com
Fri Apr 12 07:42:41 CEST 2013
Am 11.04.2013 20:08, schrieb Alan DeKok:
>> The real-life example would be that people could use PEAP-MSCHAPv2 for
>> credential-based logins (server certificate being signed by a "trusted"
>> external CA)
> While that works, it's not recommended. It means that the client will
> trust *any* certificate signed by that CA, for network access.
> It's usually a bad idea.
Correct, that for sure isn't what I'd want :-)
certificate_file - the server-side certificate - would contain the
(and it's trust chain) by the "trusted" CA.
CA_file would only contain the internal CA, such as that only those signed
by the one internal CA IT has control over it, would be accepted by FR.
(oh and I'd want to have a regularly up-to-date revocation list...)
> You don't need one CA per EAP method.
Sure, I am only looking for the server-side certificate
signed by a CA that most devices trust - since most of the users are
going to use
PEAP-MSCHAPv2 with devices not under direct controll of IT.
Telling students how to install a internal CA root isn't going to work,
didn't work for teachers in the past ...
But allowing only (internal) devices with certs from the internal CA
would allow us to more easily integrate those non-personal but
I just hope I'm not telling complete bullshit... ;-)
Thank you Alan for your time to answer!
More information about the Freeradius-Users