[Fedora-directory-users] FDS, Radius and Beyond
Andrew C. Dingman
andrew at dingman.org
Mon Dec 3 09:32:51 UTC 2007
On Sun, 2007-12-02 at 11:31 -0800, Satish Chetty wrote:
> This is a not a direct FDS question but I thought I will ask anyway. I
> want to issue digital certificates (stored and verified on FDS) to every
> laptop and desktop.
If I needed this today, I'd use Red Hat Certificate System to do it.
Soon there will be a Fedora Certificate System as well...
pki.fedoraproject.org
> When the laptop/desktop gets on the network and
> requests a DHCP IP address, I want the DHCP server to verify the
> certificate before access to the network resources is allowed. Something
> similar to the Hotspots in coffee shops and hotels but that uses
> certificates instead of login/password from user.
You don't really want to do this at the DHCP server. Anyone with a
sniffer, a couple minutes, and a clue could get on your net in spite of
it, even if it were possible. DHCP was never intended to be a security
service. DHCP requires the client to already have access to the physical
media, and just helps the client play nicely by filling it in on the
local conventions, so to speak. It sounds like perhaps what you really
want is 802.1x with EAP-TLS. 802.1x actually restricts access to the
media, though it takes some infrastructure, including switch support.
One of the authentication mechanisms available is EAP-TLS, which lets
you use certificates for authentication.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3551 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20071203/7ccc9aa7/attachment.bin>
More information about the 389-users
mailing list