EAP-TLS: Same cert, multiple servers and locations?

Ted Hyde laserted at gmail.com
Fri May 6 21:59:45 CEST 2016


Greets -
I've just recently returned back to the 'ol-RADIUS-game' and was 
pleasantly surprised to see how much easier it has become. I was able to 
accelerate through PAP/MD5/LEAP and for the past week have been dancing 
around full-on EAP-TLS for wireless supplicants, and am happy to be 
successful.
I built our certs using OpenSSL, and have a variety of sup's to deploy, 
including ipads and windows devices. It dawned on me just now that some 
of the ipads would like to actually roam amongst different server setups 
- completely different physical networks, which could be accommodated 
with different SSIDs and certs, just load them all onto the ipads and 
go. That seems to be a little bit of a headache to scale up to larger 
numbers. We did try to anticipate this to some extent as our current 
wifi setup is a single SSID for all of our wifi networks, regardless of 
their physical location (spanning different cities even), but we were 
using WPA2/PSK, so it was pretty easy to administer. I would love to 
maintain that "walk-and-go" ability that a single SSID and PSK combo 
gave us.

With the certificates, however, they get locked to a common name for 
installation, and I have traditionally always used the server name for 
that. For a lot of reasons, the server names are different site to site, 
so using the server names for common names in the certificates results 
in many certificates. ie: site01-s1, site02-s1, site03-s1.......

Can I use a single common name (ie. myglobalsites) for the certificate 
set across my entire domain, and simply copy the entire set, 
(ca/pem/der/p12) from site to site? Does openssl and freeradius together 
use any hardware info (CPU serial, resolved ip addr, etc) that would 
cause a copied cert to crash? I am aware of "Cert builder apps" as well 
as traditional (verisign) SSL-certs that are built off-site that would 
have no idea of my actual hardware config, so my understanding is that 
this would work. However I have not used the standalone apps for 
building, only openssl on the host machine (and prior to this just for 
VPN security, which was pretty straightforward).

I realize this may be a little more openssl-oriented than freeradius 
specifically, however I'm curious if anyone has experience with the 
process having a specific relationship or change to freeradius.

Thanks in advance!
Regards,
Ted.


More information about the Freeradius-Users mailing list