Time for action – creating a RADIUS PKI for you organization
The aim of this book is not to replace existing documentation. There is an excellent README file inside the certs sub-directory under the FreeRADIUS configuration directory. Follow the instructions to create a new set of certificates for your organization.
If you have a secondary FreeRADIUS server you can use the server.cnf file; make a backup of the configuration for the primary FreeRADIUS server and modify it to create a certificate for the secondary RADIUS server. Be careful not to override the primary FreeRADIUS server's files.
What just happened?
We created a PKI specific for our organization. The CA should be used by the EAP supplicant to confirm the validity of the RADIUS server.
Why use a PKI?
Every client that uses EAP-TTLS or PEAP must add the newly created CA certificate to the list of available CAs in the supplicant. If you fail to do this, you are creating a huge security risk. The following diagram should...
