Sorry, arniel, I don't have a concrete answer for you. I'm still trying to get my first EAP/TLS client going. Its been about 3 days working on it. The certificate stuff is the worst.
Here is a thread that might shed some light: http://www.mail-archive.com/[EMAIL PROTECTED]/msg20440.html. I think the key is where the discussion mentions that the certificates don't include a real user name as login would understand it. The supplicant has a certificate and it either matches one on the server or it doesn't. Its kind of anonymous that way. Everyone could have the same cert and get on the net that way. You're either in the group that can use the AP or you're not. >From a security standpoint, this is disturbing. Sure, you probably can't brute force it anymore but if you can human engineer yourself a cert, no one will ever know you're in and don't belong. It still looks like you have to use supplicant tools to install the cert. And now, here are my issues: I'd like to know if the latest versions of OpenSSL (I have 0.9.6b-29 from redhat 8) and FreeRADIUS (0.9.2) will work with the latest XP clients (I have XP SP1 with latest patches from Windows Update). If not, who knows what will work? Please don't tell me that in the 19 months since March 2002, OpenSSL hasn't had the extra code (SNAP?) put into the main tree. I saw somewhere that OpenSSL 0.9.7c was used by someone for EAP/TLS successfully. Is my 0.9.6b-29 OK? FYI - for the best tutorial I've seen so far about EAP/TLS certificates in general, Cisco has a good start: http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm I realize that RADIUS is only one piece of EAP/TLS but its an important piece. IMO there should be a section in the FAQ by now. Dana Bourgeois > --__--__-- > > Message: 2 > From: "arniel" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: expired certificate > Date: Sun, 19 Oct 2003 16:34:15 +0800 > Reply-To: [EMAIL PROTECTED] > > Hi Guys, > > > I am implementing EAP-TLS on my network using Freeradius. > Just want to ask if there is a better way of re-certifying my > client certificate if ever it is already expired? For now, I > am doing the manual thing... I have to go over from scratch, > like copying root.der and client.p12 and copy it to my > clients PC. Then prior to that I also have to remove the > expired certificate and replace it with a new one. Its really > tidious to do if i have like 10 wireless clients. > > Please advice... > > Thanks > > > arniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
