Server certificate and clients (eap-tls) certificate
Alan DeKok
aland at deployingradius.com
Mon Dec 11 22:12:42 CET 2017
On Dec 9, 2017, at 12:36 PM, work vlpl <thework.vlpl at gmail.com> wrote:
>
> I should get valid ssl certificate from (Verisign or other CA)
Please don't. It's generally a bad idea. Use a self-signed CA. That way you can control it much better.
> and use
> it in `certificate_file` and `private_key_file`. This is tells radius
> server clients, what server is valid. Also this will be enough to
> enable eap-ttls.
That's what the documentation says to do...
> The `ca_file` options should point to my self-generated/self-signed CA
> certificate. And eap-tls clients certificate should be signed by this
> CA.
Yes.
> ---
> Also I have question not related to freeradius server, but maybe
> someone have an answer.
> I can generate client certificate for eap-tls auth method with very
> long lifetime, like 10 years, and provision clients devices with it
> only once. But if certificates have short lifetime, I will have to
> update it periodically. How to do it with minimal user interaction?
Magic. :(
Most OS vendors make it hard to push EAP configs to end-user machines.
This may help: http:802.1x-config.org
Or, there are commercial providers who charge for the same services.
Alan DeKok.
More information about the Freeradius-Users
mailing list