4

I am running WPA2 enterprise for wireless access and I followed the instructions in /etc/raddb/certs/README and the freeRadius site howto. I also read the instructions in the privacywonk site.

The question is, the FreeRadius instructions and the site seems to suggest using only one (self-signed) certificate for all the supplicants, whereas the privacywonk website suggests the use of separate certificates for each supplicant.

Is there an advantage of one vs. the other?

One advantage I can think of is to be able to revoke a specific user account (which you can do when you have several certificates, one for each supplicant). Any others?

Also, how do you tie the specially created certificate to the specific user in the users file?

Alexis
  • 152
  • 1
  • 12
Sonny
  • 183
  • 1
  • 8

1 Answers1

3

Sharing certificates is basically the same as sharing passwords. If the one certificate is compromised, you have to go and reconfigure all the clients in order to change the certificate, whereas if you have a certificate per client you can simply revoke the compromised certificate. Also, the shared certificate may mean that clients can decrypt traffic sent to and from other clients, whereas separate certificates means that clients can only decrypt their own traffic. If you're going to the effort of setting up WPA2 with certificates I suggest you do it properly and generate certificates for each client.

I'm assuming that you're using EAP-TLS here, in which case you don't specifically configure users in the users file. The fact that a client has a certificate and key signed by the CA (i.e. the CA_file parameter) and is not in the CRL means that it has access.

With EAP-TLS the user provides a username, certificate and private key (possibly protected with a password). Note that there is no password with which the username can be authenticated with (i.e. users can enter any username they want). If you want to use the username to make policy decisions you need to validate that the username which the user provided is correct. I think that this is done by setting the username you want to use as the Common Name in the certificate when it is generated, and enabling the check_cert_cn parameter. This will cause the server to reject the request if the Common Name in the certificate provided by the user does not match the username they provided. You can then add entries to the users file matching User-Name to define your policy.

mgorven
  • 30,036
  • 7
  • 76
  • 121
  • So, for FreeRADIUS using the configuration/howto mentioned on the freeradius site (see http://wiki.freeradius.org/Certificates and http://wiki.freeradius.org/WPA-HOWTO) this entails changing the client.cnf file and re-generating client certificates using make client.pem for each client, correct? – Sonny Jul 24 '12 at 11:45
  • @Sonny And configuring `eap.conf` with your root CA; otherwise yes. – mgorven Jul 24 '12 at 16:28
  • So, in `eap.conf`, turning on `check_cert_cn = %{User-Name}` for each username used for generating the `client.p12`s? What is this username (is it different from the `commonName` in `client.cnf`)? Is it the same as the Username used in `users`? Do we have to include the username/password (I see http://freeradius.org/rfc/rfc2865.html#User-Name and it appears like it could be the `distinguishedName` from `client.cnf`). Could you point me to some documentation for this part of the config? – Sonny Jul 24 '12 at 16:56
  • @Sonny I've expanded my answer. I don't have any documentation for this other than the config file, so I'm mostly guessing here ;-) – mgorven Jul 24 '12 at 18:41
  • I added my solution at `http://serverfault.com/questions/410640/wpa2-enterprise-username-password-prompt-less-setup-on-a-mixed-network-xp-sp3?lq=1`. – Sonny Jul 26 '12 at 01:33