AAA/802.1x
AAA/802.1x

Certificate Expiration

‎02-11-2009 03:59 AM

does any one have tool to create certification .pfx (not expired after short period), to use it when enable EAP on SBR ?

 

 

4 REPLIES 4
AAA/802.1x

Re: Certificate Expiration

‎02-11-2009 07:32 AM

I have another question please,  for SBR appliance i have two NIC in appliance , i need to know the follwoing:

 

1- dose NIC 1 on the appliance server work always for managment only & NIC2 used for Radius traffic (all radius client will  have IP of this NIC as IP of SBR)?

 

2-  can you provide me with More doc about this proudect, and how to mange it, also any info about NEWS ?

 

 

AAA/802.1x

Re: Certificate Expiration

‎02-13-2009 04:46 AM

Hi,

 

You have a few options.

 

1) Go to a public Certificate Authority and buy a certificate (usually these are valid for just one year) 

 

2) use OpenSSL, which is free (or a wrapper program around it, depending upon your preferred platform).  OpenSSL allows you to setup a Certificate Authority that can create certificates for servers/services within your company.

 

3) use MS Windows Server 200x Certificate Services.  This allows you to create a local CA using Windows.

 

If you expect non-local users to need to authenticate and be authenticated, then you probably need to obtain a public certificate (option 1) so that all users can be confident that the server they're using to authenticate is the right one.  However, if you will only be authenticating devices within your company, I recommend against buying a public certificate.

 

Instead use OpenSSL (I prefer it over Windows, but that's a personal preference) to create a CA with a public/private certificate pair.  This certificate should have a long lifetime (e.g. 10 years).  You then distribute the public key of the CA to all your internal devices (including your SBR server).  

 

You also create a public/private certificate pair for the server but with a shorter lifetime (e.g. 1 year).  That public *and* private key are distributed (in pfx format) to the SBR server.

 

When authenticating, the clients will view the packets sent by the SBR server demanding credentials and will check that they have been 'signed' using the private key by matching with the public key they hold for the CA.  Because the CA is trusted, the keys signed by the CA are also trusted.  The clients then use the public key, which was sent by the SBR server in the earlier exchange, to encrypt the traffic back to the SBR server (I'm assuming EAP-TLS, EAP-TTLS or PEAP).  The SBR server uses the private key to decrypt the traffic.

 

Now, OpenSSL can be a bit cryptic (excuse the pun) which is why you may want to look into a wrapper program that provides you with a front end to manage your keys. 

 

Hope that helps.

 

Rgds,

 

Guy 

AAA/802.1x

Re: Certificate Expiration

‎02-14-2009 11:57 PM

thank you for your reply.

 

I have another question please,  for SBR appliance i have two NIC in appliance , i need to know the follwoing:

 

1- dose NIC 1 on the appliance server work always for managment only & NIC2 used for Radius traffic (all radius client will  have IP of this NIC as IP of SBR)?

 

2-  can you provide me with More doc about this proudect, and how to mange it, also any info about NEWS ?

 

AAA/802.1x

Re: Certificate Expiration

‎02-15-2009 12:40 PM
Hi

I can't answer your first question.

All our documentation is at http://www.juniper.net/techpubs

Specific docs for sbr are at http://www.juniper.net/techpubs/software/aaa_802/sbr.html and just look in the enterprise section for the appliance docs.

Rgds,

Guy
Announcements

AAA/802.1X

IC Series Unified Access Control Appliances are hardened, centralized policy servers, combining the user identity, device security state and network location gathered by the UAC Agent to create unique network access control policy per user, per session.

RSS Icon