Re: Certificate Provisioning for EAP-TLS Networks
There are other solutions around as well to distribute and manage client side certificates. Not cheap, but they do exist. //anders - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
> How do you get the certificates on the device in the first place? Well - that's the problem. I would like for there be a USB cable method of putting the key material on the device. Then we could build some nifty client script to automate the provisioning. But these devices in particular don't have that. As it is - we need to setup some ad-hoc or other non-routed WLAN with PSK or WEP security, put the device(s) on there and at that point the devices can pull the certs down via http or tftp. So, here's how it goes in our test environment. We have the 'production' WLAN which must remain WPA2/EAP-TLS. For compliance there is no flexibility of the security of that WLAN. *sigh* OK no worries it makes it a cool problem to solve. :-) So I've just got a laptop temporarily setup with a little ad-hoc network for provisioning the phones via tftp. These will be in a dozen remote locations so I need to build a solution enabling rapid provisioning of the devices with minimal local technical oversight. -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
On Fri, Jan 30, 2009 at 8:08 AM, Alan DeKok wrote: > Luciano Afranllie wrote: >> You can check and may be take some ideas from wimax forum guys. > > Unfortunately, no. > >> Go to www.wimaxforum.org. Register and login. Go to Network Working >> Group and check for OTA Provisioning and Network Architecture (stage 2 >> and 3) specifications. > > Access is for WiMAX forum members only. Which costs a lot of money. > And the NWG / OTA specifications are only for WiMAX equipment. They > don't apply anywhere else. > Ok, may be you are right but I was just talking about "ideas", and they may apply to other scenarios. It is true wimax uses OMA DM and that is not a so common nor cheap solution, but the idea of using a device management/provisioning infraestructure to get certificates can be considered. By the way, the documents I made mention can be accessed with a free membership. You only need to register. Regards Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
Matt Causey wrote: > However a pretty big limitation of this security architecture is of > course getting the SSL key material onto the devices. In our case - > the devices are SIP phones with no wired ethernet connection. I know > there are other sites with similar issues. How do you get the certificates on the device in the first place? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
Luciano Afranllie wrote: > You can check and may be take some ideas from wimax forum guys. Unfortunately, no. > Go to www.wimaxforum.org. Register and login. Go to Network Working > Group and check for OTA Provisioning and Network Architecture (stage 2 > and 3) specifications. Access is for WiMAX forum members only. Which costs a lot of money. And the NWG / OTA specifications are only for WiMAX equipment. They don't apply anywhere else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
On Thu, Jan 29, 2009 at 12:52 PM, Matt Causey wrote: > I am running FreeRadius at my company on a WLAN - using SSL key > material issued by our internal certificate authority. All is well. > > However a pretty big limitation of this security architecture is of > course getting the SSL key material onto the devices. In our case - > the devices are SIP phones with no wired ethernet connection. I know > there are other sites with similar issues. > > I would like to hear some ideas on what folks are doing to manage SSL > key material on devices. This would include initial key provisioning > and re-keying when certs expire. Presently ours expire every 90 days. > > Thoughts? You can check and may be take some ideas from wimax forum guys. Go to www.wimaxforum.org. Register and login. Go to Network Working Group and check for OTA Provisioning and Network Architecture (stage 2 and 3) specifications. Regards Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate Provisioning for EAP-TLS Networks
I am running FreeRadius at my company on a WLAN - using SSL key material issued by our internal certificate authority. All is well. However a pretty big limitation of this security architecture is of course getting the SSL key material onto the devices. In our case - the devices are SIP phones with no wired ethernet connection. I know there are other sites with similar issues. I would like to hear some ideas on what folks are doing to manage SSL key material on devices. This would include initial key provisioning and re-keying when certs expire. Presently ours expire every 90 days. Thoughts? -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html