(RADIATOR) SSL certificate for 802.1x PEAP/aironet1100 WLAN

Bon sy bon at bunny.cs.qc.edu
Tue Aug 3 06:09:44 CDT 2004 

Hi Scott and Terry,

	If your main concern is the cost as Terry mentioned, you may want
to consider building your own CA using openssl. If a moderate cost
investment may fit your budget, you may want to look into CATool as
Mike/Hugh has suggested previously. 

	We have tried and used both. Building your own CA using openssl is
more involved --- and obviously you have to provide your own technical
support --- in comparing to using CATool. If you do want to build your own
CA using openssl and to avoid the frustration causing your late night
sleepless symtom, we find it important to build up the comfort level on
openssl, perl, and Linux, and definitely read up a lot from the mailing
list, before doing it. 

Bon


On Mon, 2 Aug 2004, Terry Simons wrote:

> Hi Scott,
> 
> You *can* reuse a server certificate in another location later.
> 
> The domain name has no real significance, except that you need to 
> verify it on the client to ensure that your clients are secure.  The 
> domain can be whatever you like, and can exist on multiple servers... 
> there is no inherent tie to any given server.
> 
> That said, it is probably *not* a good idea to reuse certificates in a 
> production environment, but it does work.
> 
> Is the main reason why you are purchasing certificates to ensure that 
> the client has a pre-installed CA certificate that will verify your 
> certificate, or for some other reason?
> 
> If your main concern is the cost, you should probably consider rolling 
> your own certificates.
> 
> - Terry
> 
> On Aug 2, 2004, at 8:59 PM, Scott Xiao - ANTlabs wrote:
> 
> >
> > Hi,
> > Can any of you recommend one workable Radius(Radiator) server 
> > certificate
> > besides Verisign?I want to buy a cheaper one,use it in  802.1x PEAP 
> > WLAN
> > hotspot.If I use it for domain "hostname.mydomain.com" ,can I use the 
> > same
> > certificate in future if I deploy a same WLAN in another place which 
> > will
> > still use the same domain name?Thanks!
> > Rgds
> > Scott Xiao
> > -----Original Message-----
> > From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> > Behalf Of Terry Simons
> > Sent: Thursday, July 29, 2004 1:15 PM
> > To: Christian Wiedmann
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) SSL certificate for 802.1x PEAP/aironet1100 
> > WLAN
> >
> >
> > Hi,
> >
> > On Jul 28, 2004, at 1:32 PM, Christian Wiedmann wrote:
> >
> >> As far as I know, the XP server extension OID is the one that is also
> >> used for web servers.  Therefore, a web server certificate should 
> >> work.
> >
> > This is true.  There is one thing that people should probably be aware
> > of, however.
> >
> > At the last Networld + Interop HotStage, we did some extensive testing
> > with this and it was determined that what should probably happen is to
> > officially apply for some OIDs for 802.1X authentication servers.  One
> > of the HotStage members that is involved in the IETF and the IEEE is
> > pushing that a bit, so it could be the case that a "proper" OID set
> > will come out in the future.  It could be a ways out, but I personally
> > hope that it happens so we can have an "official" way of creating
> > "802.1X authentication" certificates.
> >
> > - Terry
> >
> >>
> >> For what it's worth, I've successfully used a Verisign web server
> >> certificate
> >> for PEAP authentication against Windows XP SP1.  I think there's a 
> >> good
> >> chance a freessl certificate would work too.
> >>
> >> 	-Christian
> >>
> >> ref.:
> >> http://support.microsoft.com/?kbid=814394
> >> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.1.html
> >> http://www.ietf.org/rfc/rfc2459.txt
> >>
> >> On Wed, 28 Jul 2004, Mike McCauley wrote:
> >>
> >>> Date: Wed, 28 Jul 2004 19:35:44 +1000
> >>> From: Mike McCauley <mikem at open.com.au>
> >>> To: scottxiao at antlabs.com
> >>> Cc: Radiator <radiator at open.com.au>
> >>> Subject: Re: (RADIATOR) SSL certificate for  802.1x PEAP/aironet1100
> >>> WLAN
> >>>
> >>> Hi Scott,
> >>>
> >>>
> >>> On Wednesday 28 July 2004 18:41, Scott Xiao  - ANTlabs wrote:
> >>>> Hi,Mike,
> >>>> Thanks, so do you have any suggestion that I can purchase regarding
> >>>> the
> >>>> cert for radius server?Verisign?which type?If you have any
> >>>> recommendation
> >>>> that it works well on Radiator....Thanks
> >>>
> >>> Verisign offer certificates for radius servers, but I dont know the
> >>> details of
> >>> how to apply for one. They do work with Radiator. You should try to
> >>> get it in
> >>> PEM format.
> >>>
> >>> Cheers.
> >>>
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list