02-13-2023 01:51 AM
in order to autenticate users with dot1x I need to install a ssl certificate on the radius server;
is there a best practices about the common name, expiration time and signing CA to use for the certificate in order to have as much compatibility as possibile?
(user devices will not be on my control, nor joined to a AD, so I will not have the possibility to configure system trust on a specific certificate or CA).
02-13-2023 09:17 AM
Hi, in your case you will need to acquire a SSL certificate from a public know CA and set it to be used a radius certificate.
Common name should be the name of your radius server.
Avoid using a wildcard certificate for radius auth as some devices cannot work with wildcard certificate in radius auth.
The validity of public certificates is usually 1 year, so be prepared to renew it every year or you will have issues after the expiration date.
02-14-2023 12:30 AM
so, you suggest a public CA with 12 month certificate (my other option was a self signed with 10 year expiration, but I fear some issue with client not accepting so long expiration).
if I can correctly understand, with this configuration (public CA signing crt for 1 year) the client will have to accept the crt on first connection to the network and then to re-accept the new certificate every year.
is there a way to avoid this manual trust of the crt (i.e. I'm inventing, using the name of the realm as common name of the radius crt or something like this)?
do you suggest some good book or online resource about this argument?
02-14-2023 11:02 AM
The idea to use a certificate from a know public CA is to avoid the devices to have to accept the certificate. As the certificate is from a know trust public CA, the device should accept the certificate without any additional action (the devices already have some public CA in his trust list).
02-15-2023 09:15 AM
are you sure it's enough it's signed by a trusted CA?
my experience is different, it always ask me to MANUALLY trust the radius certificate (at least the first time I see this radius, then my device will cache the trust)
for a website I ask for a particular site name, the web server send me the certificate with the exaclty same common name as the site name I asked for and if this certificate is trusted by one of my ca, I can trust I'm taking to the correct server I asked for.
with dot1x I ask to join an ssid, but the AP send me back the certificate with the (different than ssid) common name of a radius server I don't know... it may send me the certificate of radius.bad-and-untrusted-guy.com and I will not trust it even if it's signed by a trusted CA