@thecompnerd wrote:
Let me preface this with the following: I am not a certificate expert.
I'd like to know if there should be any concern about the CN in the cert that I issue to my controller since anyone attempting to authenticate will see the certificate from the controller? I try to protect internal name space and IP space as much as possible, and I'm not sure if it's worth worrying about here. I've considered using external PKI and obscure CNs instead of the controller name and internal PKI.
I'd appreciate any feedback you have regarding this.
It does not matter. Clients do not need ip access to the fqdn of a radius server to use it. The controller sits between the client and the radius server and abstracts this. You can block clients from your management networks, which could be where your radius server is, and have your client still authenticate to it. A 802.1x transation is mutual. That means the radius server would need your username and password and the client can validate the certificate of the device that it is connecting to. Your client can decide NOT to validate the certificate of the radius server, but it will always be able to see it.
Only if a client needs to authenticate via a captive portal does it need to actually have ip access to the server, and you can always dictate what protocols that client connects to the server with...