Configuring PEAP

Mason Loring Bliss mason at blisses.org
Thu Sep 24 18:02:10 CEST 2015


On Thu, Sep 24, 2015 at 08:19:31AM +0000, A.L.M.Buxey at lboro.ac.uk wrote:

> my first advice to you is to upgrade - 2.1.12 is *old*. seriously old. it
> came out in sept 2011 and is no longer maintained. If you go to CentOS 7
> you'll get 2.2.x (but once again, you really should be using version 3 now)

Is there any issue you can think of using 3.0.9 on CentOS 6? I don't mind
building it from source if the infrastructure will support it.


> Mac clients can no longer have 802.1X config done manually in the network
> config section - they need to be configured using a .mobileconfig file

Alright. Thanks. I'll look at this.


> the commonname of the cert is its CN as per the output of
> 
> openssl x509 -in server.pem -text -noout

Oh, I know this part, but I'm wondering how the CN is *used*. Specifically,
is my FreeRADIUS server sending something that has to match the cert? If my
server is foo.bar.com, does it actually send its hostname to the client
that's trying to connect? The examples I've found so far have CNs that are
more or less freeform, quoted strings.

Related, my goal once I've worked out the details is to have a small cluster
of these. I can load-balance between them but I was thinking more of having
a freestanding pool. If FreeRADIUS is sending its hostname for matching this
would be problematic done through a load balancer, and if I'm not doing it
through a load balancer it seems like I'd need one certificate per FreeRADIUS
server, rather than having a shared cert for the role, especially if I can't
use wildcards.

Maybe the local CA option will be best here. I'll explore it. Knowing how the
CN is used between the client and server would be great, though. In this
case, it's assumed that the clients won't have other access to the network
until they authenticate and connect through the WAPs and FreeRADIUS.


> well, you need the xpextensions for sure.... but you also need the root CA
> to be known and trusted by the device...

The DigiCert CA certificate was known by the Macs already, but I'll look at
the provisioning mechanism(s) you described to see if there was something
there.


> *however* if you are doing things with a configuration tool, then local CA
> issue for ease of use goes...its configured for the user AND secure.

This sounds more and more appealing the more I think about it.

Thanks for the help thus far! I'll write back more if I get stumped by other
things, but for now I'm going to try to get 3.0.9 on my EL6 test box and look
at the provisioning situation.

-- 
Mason Loring Bliss          mason at blisses.org          Ewige Blumenkraft!
awake ? sleep : random() & 2 ? dream : sleep; -- Hamlet, Act III, Scene I


More information about the Freeradius-Users mailing list