Certificate push for eap-tls clients

Matthew Newton mcn4 at leicester.ac.uk
Wed Jun 25 16:24:52 CEST 2014


On Wed, Jun 25, 2014 at 12:21:48PM +0100, Franks Andy (RLZ) IT Systems Engineer wrote:
> Unfortunately we don't run an openssl / tinyca etc based CA, it's AD
> based and I have no control over that, and we also need to stick with
> TLS rather than another method of PEAP like mschapv2.

As you say you're AD based, just in case you didn't realise: if
your clients are all Windows and joined to the domain, then CA
management is automatic and they will have a client cert on them
that you can just use to authenticate, so the domain manages that
side for you and you don't need to worry about it.

Of course, if some clients aren't domain joined then you do still
have the cert deployment issue, which is the usual issue with
EAP-TLS. As Alan said, you probably want to look at some other
deployment system. FreeRADIUS isn't that.

Remember you can still make an intermediate signing cert with e.g.
OpenSSL, sign it with the domain CA, then use that to generate all
certs for non-domain members, if you don't/can't use the AD cert
services directly.



Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list