reuse EAP-TLS client certificiate
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Sep 9 18:39:43 CEST 2015
> On 9 Sep 2015, at 17:38, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>> On 9 Sep 2015, at 16:51, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
>>
>> On Wed, Sep 09, 2015 at 10:43:34AM -0500, Matt Zagrabelny wrote:
>>> With EAP-TLS, can one reuse the same client cert across multiple devices?
>>>
>>> I'm guessing "yes", but would appreciate confirmation.
>>
>> Yes, FR doesn't care about where the certificate from, only that
>> it's valid.
>>
>> But then when you need to remove one client from the network, you
>> revoke its certificate and...
>>
>> ...so no, it's not a good idea for several reasons.
>>
>>
>>> Tangentially, is there a way to "pin" a certificate to a client's MAC address?
>>
>> Yes, with grand illusions of security that don't exist. Until a
>> recent O/S comes along and starts using random MAC addresses, that
>> is.
>
> Ahhh every time I read about it, I start clapping gleefully and making te-he-he noises.
Actually it's more of a Muttley - shhshshh
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150909/6607ef4d/attachment.sig>
More information about the Freeradius-Users
mailing list