Self-signed provides stronger security in most cases. I'm using
self-signed here, and distributing a certificate to unmanaged user
devices is as easy as placing a p12 file on a USB drive and requiring
users to stop by ops before getting on wireless. If you're using a
public CA to sign certs, and you're not using TLS authentication (I'm
guessing you're not. getting that many certs would be expensive), then
anyone can impersonate your network and intercept perceivably protected
traffic. this is BAD. Insofar as I know, nearly everyone on this list
using certs is using self-signed.
On 1/25/2012 16:08, McNutt, Justin M. wrote:
So I'm getting some pushback in my organization against using a self-signed CA
for signing my RADIUS server certs. To make a long story short, I was asked to
find out what other people were doing.
For my own reasons, I'd like to know slightly more than that. If you AREN'T
using a self-signed CA for your RADIUS server, what made you use another CA,
and what CA did you use?
And just to be clear, is the concensus still that a self-signed CA is the way
to go, assuming that you have a decent way to distribute the CA cert (which we
do) to the clients who need to trust it?
I've read /etc/raddb/certs/README and I've done some Googling and everything I
find pretty much assumes that you're using a self-signed CA. The README
explains briefly why, but my management wants more assurance than that, so here
I am.
Looking forward to your responses, and thanks in advance.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
