On Sun, 2007-12-02 at 11:31 -0800, Satish Chetty wrote:
This is a not a direct FDS question but I thought I will ask anyway.
want to issue digital certificates (stored and verified on FDS) to every
laptop and desktop.
If I needed this today, I'd use Red Hat Certificate System to do it.
Soon there will be a Fedora Certificate System as well...
When the laptop/desktop gets on the network and
requests a DHCP IP address, I want the DHCP server to verify the
certificate before access to the network resources is allowed. Something
similar to the Hotspots in coffee shops and hotels but that uses
certificates instead of login/password from user.
You don't really want to do this at the DHCP server. Anyone with a
sniffer, a couple minutes, and a clue could get on your net in spite of
it, even if it were possible. DHCP was never intended to be a security
service. DHCP requires the client to already have access to the physical
media, and just helps the client play nicely by filling it in on the
local conventions, so to speak. It sounds like perhaps what you really
want is 802.1x with EAP-TLS. 802.1x actually restricts access to the
media, though it takes some infrastructure, including switch support.
One of the authentication mechanisms available is EAP-TLS, which lets
you use certificates for authentication.