EAP-TLS: Same cert, multiple servers and locations?
laserted at gmail.com
Fri May 6 21:59:45 CEST 2016
I've just recently returned back to the 'ol-RADIUS-game' and was
pleasantly surprised to see how much easier it has become. I was able to
accelerate through PAP/MD5/LEAP and for the past week have been dancing
around full-on EAP-TLS for wireless supplicants, and am happy to be
I built our certs using OpenSSL, and have a variety of sup's to deploy,
including ipads and windows devices. It dawned on me just now that some
of the ipads would like to actually roam amongst different server setups
- completely different physical networks, which could be accommodated
with different SSIDs and certs, just load them all onto the ipads and
go. That seems to be a little bit of a headache to scale up to larger
numbers. We did try to anticipate this to some extent as our current
wifi setup is a single SSID for all of our wifi networks, regardless of
their physical location (spanning different cities even), but we were
using WPA2/PSK, so it was pretty easy to administer. I would love to
maintain that "walk-and-go" ability that a single SSID and PSK combo
With the certificates, however, they get locked to a common name for
installation, and I have traditionally always used the server name for
that. For a lot of reasons, the server names are different site to site,
so using the server names for common names in the certificates results
in many certificates. ie: site01-s1, site02-s1, site03-s1.......
Can I use a single common name (ie. myglobalsites) for the certificate
set across my entire domain, and simply copy the entire set,
(ca/pem/der/p12) from site to site? Does openssl and freeradius together
use any hardware info (CPU serial, resolved ip addr, etc) that would
cause a copied cert to crash? I am aware of "Cert builder apps" as well
as traditional (verisign) SSL-certs that are built off-site that would
have no idea of my actual hardware config, so my understanding is that
this would work. However I have not used the standalone apps for
building, only openssl on the host machine (and prior to this just for
VPN security, which was pretty straightforward).
I realize this may be a little more openssl-oriented than freeradius
specifically, however I'm curious if anyone has experience with the
process having a specific relationship or change to freeradius.
Thanks in advance!
More information about the Freeradius-Users