Certificate push for eap-tls clients

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Wed Jun 25 18:27:42 CEST 2014 

Hi,
  Thanks for the messages back. I'd forgotten about insertion of the CA
into the certificate chain with openssl, which is helpful. I guess it
would be useful to experiment with using a certificate tool, web server
and autogenerated html page via php or something to give the user a
one-time link if they are put into the "remuneration" vlan by
freeradius. No idea how you start packaging up profiles but maybe the
CAT tool is useful there. Seems to always be a case of "use the
commercial or brew your own" with what I'm doing at the moment!
Cheers
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Matthew Newton
Sent: 25 June 2014 15:25
To: FreeRadius users mailing list
Subject: Re: Certificate push for eap-tls clients

Hi,

On Wed, Jun 25, 2014 at 12:21:48PM +0100, Franks Andy (RLZ) IT Systems
Engineer wrote:
> Unfortunately we don't run an openssl / tinyca etc based CA, it's AD 
> based and I have no control over that, and we also need to stick with 
> TLS rather than another method of PEAP like mschapv2.

As you say you're AD based, just in case you didn't realise: if your
clients are all Windows and joined to the domain, then CA management is
automatic and they will have a client cert on them that you can just use
to authenticate, so the domain manages that side for you and you don't
need to worry about it.

Of course, if some clients aren't domain joined then you do still have
the cert deployment issue, which is the usual issue with EAP-TLS. As
Alan said, you probably want to look at some other deployment system.
FreeRADIUS isn't that.

Remember you can still make an intermediate signing cert with e.g.
OpenSSL, sign it with the domain CA, then use that to generate all certs
for non-domain members, if you don't/can't use the AD cert services
directly.

Cheers,

Matthew



--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services, I.T. Services, University
of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list