Re: expired certificate

2003-10-20 Thread Dana Bourgeois 
Sorry, arniel, I don't have a concrete answer for you.  I'm still trying to
get my first EAP/TLS client going.  Its been about 3 days working on it.
The certificate stuff is the worst.  

Here is a thread that might shed some light:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg20440.html.
I think the key is where the discussion mentions that the certificates don't
include a real user name as login would understand it.  The supplicant has a
certificate and it either matches one on the server or it doesn't.  Its kind
of anonymous that way.  Everyone could have the same cert and get on the net
that way.  You're either in the group that can use the AP or you're not.
From a security standpoint, this is disturbing.  Sure, you probably can't
brute force it anymore but if you can human engineer yourself a cert, no one
will ever know you're in and don't belong.

It still looks like you have to use supplicant tools to install the cert.

And now, here are my issues:
I'd like to know if the latest versions of OpenSSL (I have 0.9.6b-29 from
redhat 8) and FreeRADIUS (0.9.2) will work with the latest XP clients (I
have XP SP1 with latest patches from Windows Update).  If not, who knows
what will work?  Please don't tell me that in the 19 months since March
2002, OpenSSL hasn't had the extra code (SNAP?) put into the main tree.  I
saw somewhere that OpenSSL 0.9.7c was used by someone for EAP/TLS
successfully.  Is my 0.9.6b-29 OK?

FYI - for the best tutorial I've seen so far about EAP/TLS certificates in
general, Cisco has a good start:
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm

I realize that RADIUS is only one piece of EAP/TLS but its an important
piece.  IMO there should be a section in the FAQ by now.


Dana Bourgeois

 --__--__--
 
 Message: 2
 From: arniel [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: expired certificate
 Date: Sun, 19 Oct 2003 16:34:15 +0800
 Reply-To: [EMAIL PROTECTED]
 
 Hi Guys,
 
 
 I am implementing EAP-TLS on my network using Freeradius. 
 Just want to ask if there is a better way of re-certifying my 
 client certificate if ever it is already expired? For now, I 
 am doing the manual thing... I have to go over from scratch, 
 like copying root.der and client.p12 and copy it to my 
 clients PC. Then prior to that I also have to remove the 
 expired certificate and replace it with a new one. Its really 
 tidious to do if i have like 10 wireless clients.
 
 Please advice...
 
 Thanks
 
 
 arniel


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

expired certificate

2003-10-19 Thread arniel 
Hi Guys,


I am implementing EAP-TLS on my network using Freeradius. Just want to ask
if there is a better way of re-certifying my client certificate if ever it
is already expired? For now, I am doing the manual thing... I have to go
over from scratch, like copying root.der and client.p12 and copy it to my
clients PC. Then prior to that I also have to remove the expired certificate
and replace it with a new one. Its really tidious to do if i have like 10
wireless clients.

Please advice...

Thanks


arniel


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html