From: Matthew L. <mat...@ep...> - 2008-03-27 12:32:36
|
Hi, A question to those of you who manage multiple sites with Radmind, and use certificates. I've been asked to implement my Radmind setup across multiple sites within our company. I am looking to have my current Radmind server as a master, and the relevant parts of /var/radmind gets rsynced regularly to local Radmind servers at all the other sites, so we are all using the same loadsets, command files, etc. That bit I can see working and know others have done the same. However, I currently use static IPs assigned via DHCP and this is a no-no on the company-wide setup, so we're looking at certificates. We also want it so that no matter what site a Mac moves to (this is thinking latops, in the main; but also relocating Macs in certain DR scenarios), it can be identified by the local Radmind server at that site and get any updates pending. I'm setting up the certificate environment within my current one-server setup, and chewing my way through this. My question is, once I get this working, is it possible to use certificates in a way that a client's certificate can be authenticated/identified by all the local Radmind servers across the multiple sites? Or do I need to create a CA on each Radmind server and then have a cert-per-site for each client? I can see how I might do this by having the multiple certs on a client, and within my scripts identifying the site network it is on (we have ways of doing this) and supplying the correct cert explicitly within the radmind commands. My knowledge of certificates is rudimentary (but growing daily!) so I'm thinking off-the-cuff here, but someone out there might be able to give me the low-down on the "right way" to implement this. TIA, Matt. |