XP supplicant and Secure Cerficate acceptance

Josh Howlett Josh.Howlett at bristol.ac.uk
Mon Aug 1 22:53:16 CEST 2005

On Mon, 1 Aug 2005, jck-freeradius at southwestern.edu wrote:

> I am running FreeRadius 1.0.4 and using XP supplicants.  My problem
> is after authenticating against FreeRadius, XP asks me to OK
> the server certificate.
> I do not want to manually validate the server certificate.  XP should be able
> to validte the certificate by itself, as long as the cert has been issued by
> a valid Certificate Authority.  I have tried using certs from DigiCert and
> Verisign.


In an 802.1x context, it is best to use certs from a self-signed CA, 
rather than a well-known CA (such as Verisign).

This is because an attacker could dupe your users' supplicants by 
acquiring a certificate from the same CA that you trust (ie. Verisign), 
and install a rogue WAP near your premises to steal inner-tunnel 

There is a solution, and this is to get the supplicant to verify certain 
attributes within the server cert. However, I am aware of only one 
supplicant that can do this: Funk's Odyssey. FWIW, even Funk recommend 
using a self-signed CA.

Evidentally, you'll need to distribute the CA's root certificate to your 


More information about the Freeradius-Users mailing list