topic Re: dot1x: common name for radius certificate in Wireless Questions and Best Practices

dot1x: common name for radius certificate

ebi — Mon, 13 Feb 2023 09:51:09 GMT

hello,

in order to autenticate users with dot1x I need to install a ssl certificate on the radius server;

is there a best practices about the common name, expiration time and signing CA to use for the certificate in order to have as much compatibility as possibile?

(user devices will not be on my control, nor joined to a AD, so I will not have the possibility to configure system trust on a specific certificate or CA).

Re: dot1x: common name for radius certificate

bruno_andrade — Mon, 13 Feb 2023 17:17:34 GMT

Hi, in your case you will need to acquire a SSL certificate from a public know CA and set it to be used a radius certificate.

Common name should be the name of your radius server.

Avoid using a wildcard certificate for radius auth as some devices cannot work with wildcard certificate in radius auth.

The validity of public certificates is usually 1 year, so be prepared to renew it every year or you will have issues after the expiration date.

Re: dot1x: common name for radius certificate

ebi — Tue, 14 Feb 2023 08:30:27 GMT

hello,

so, you suggest a public CA with 12 month certificate (my other option was a self signed with 10 year expiration, but I fear some issue with client not accepting so long expiration).

if I can correctly understand, with this configuration (public CA signing crt for 1 year) the client will have to accept the crt on first connection to the network and then to re-accept the new certificate every year.

is there a way to avoid this manual trust of the crt (i.e. I'm inventing, using the name of the realm as common name of the radius crt or something like this)?

do you suggest some good book or online resource about this argument?

thanks

Re: dot1x: common name for radius certificate

bruno_andrade — Tue, 14 Feb 2023 19:02:05 GMT

Hi.

The idea to use a certificate from a know public CA is to avoid the devices to have to accept the certificate. As the certificate is from a know trust public CA, the device should accept the certificate without any additional action (the devices already have some public CA in his trust list).

Re: dot1x: common name for radius certificate

ebi — Wed, 15 Feb 2023 17:15:48 GMT

hello,

are you sure it's enough it's signed by a trusted CA?

my experience is different, it always ask me to MANUALLY trust the radius certificate (at least the first time I see this radius, then my device will cache the trust)

for a website I ask for a particular site name, the web server send me the certificate with the exaclty same common name as the site name I asked for and if this certificate is trusted by one of my ca, I can trust I'm taking to the correct server I asked for.

with dot1x I ask to join an ssid, but the AP send me back the certificate with the (different than ssid) common name of a radius server I don't know... it may send me the certificate of radius.bad-and-untrusted-guy.com and I will not trust it even if it's signed by a trusted CA

Re: dot1x: common name for radius certificate

bruno_andrade — Thu, 16 Feb 2023 19:38:34 GMT

Hello, you will need to configure your devices supplicant, so yes, the first time you will have to manually check to trust the CA.

The idea of using a public certificate is that you don't need to install the CA certificate on the device as it already has some public CA installed.

The common name of the certificate doesn't matter in this case (but don't use a wildcard certificate, as explained before), on most radius server you can only have one certificate for Radius and this works for any SSID (and also for wired auth).

If you are looking for a way to make it easier for your users you might want to check out the CloudPath solution, with CP you can redirect your users to a portal to sign up without an IT specialist doing all the steps on all devices.