On Sun, 2007-12-02 at 11:31 -0800, Satish Chetty wrote: > This is a not a direct FDS question but I thought I will ask anyway. I > want to issue digital certificates (stored and verified on FDS) to every > laptop and desktop. If I needed this today, I'd use Red Hat Certificate System to do it. Soon there will be a Fedora Certificate System as well... pki.fedoraproject.org > When the laptop/desktop gets on the network and > requests a DHCP IP address, I want the DHCP server to verify the > certificate before access to the network resources is allowed. Something > similar to the Hotspots in coffee shops and hotels but that uses > certificates instead of login/password from user. You don't really want to do this at the DHCP server. Anyone with a sniffer, a couple minutes, and a clue could get on your net in spite of it, even if it were possible. DHCP was never intended to be a security service. DHCP requires the client to already have access to the physical media, and just helps the client play nicely by filling it in on the local conventions, so to speak. It sounds like perhaps what you really want is 802.1x with EAP-TLS. 802.1x actually restricts access to the media, though it takes some infrastructure, including switch support. One of the authentication mechanisms available is EAP-TLS, which lets you use certificates for authentication.
Description: S/MIME cryptographic signature