Build in some error handling, logging, and notification.Let’s Encrypt certs are only good for three months at a time, and some supplicants will prompt users to accept the new certificate when it is renewed.Again, a better, more secure solution is to use a private CA and distribute the RADIUS server cert to clients using an MDM solution and/or BYOD onboarding solution.A good MDM solution will allow network admins configure BYOD clients properly so that TLS failures cannot be bypassed.Ī few considerations before you get too excited: Unmanaged clients are a security risk, however, because the end-user can easily override security warnings that occur when connecting to an evil twin network with a bogus cert. If you don’t have an MDM or BYOD onboarding solution, you can’t get your private root cert onto BYOD clients very easily. Why use a certificate from a public CA like Let’s Encrypt for 802.1X/PEAP authentication? While a private CA offers more security, a public CA has the advantage of having a pre-installed root certificate on virtually all RADIUS supplicants, including BYOD clients that are unmanaged. It needs a web server it can interact with in order to validate the domain name of the client’s request. Do you see the problem? Unless you run a public-facing web server on your RADIUS server (unlikely), Let’s Encrypt will not issue certs to your server. The client requests a TLS cert from Let’s Encrypt and before Let’s Encrypt issues the cert, it verifies that the client is connecting from the same domain name that it is requesting a cert for, and that the client can put some hidden files on the server’s website. The Let’s Encrypt client runs on a web server with a public domain name. Getting all of that to work with a RADIUS server is challenging however, mostly because of the way Let’s Encrypt works. And did I mention it’s free and supported by all the major web browsers now? It’s been great for web server administrators because it allows them to automate the process of requesting, receiving, installing, and renewing TLS certificates, taking the administrative overhead out of setting up a secure website. Let’s Encrypt is a certificate authority that generates TLS certificates automatically, and for free.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |