How to enable only EAP-TTLS type and not EAP-TLS?

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Thu Jan 10 15:41:15 CET 2008


A.L.M.Buxey at lboro.ac.uk wrote on 10.01.2008 14:53:
> Hi,
> 
>>   RADIUS certificates for EAP should ALMOST ALWAYS be self-signed.  That
>> means that no one else can successfully convince the users to send them
>> the passwords.
> 
> seconded/thirded.  as UK eduroam support I agree that such a closed-loop
> system provides a better protection.  though more config and deployment pains,
> certainly ;-)

Actually we were talking about server side config.

Looking at the supplicant, the user strongly should enter a fully qualified
name of the radius server he is expecting his authN is checked against and
he strongly should make sure that his supplicant is checking hard that this
FQDN matches the CN of the RADIUS server cert. Usually there is some
checkbox/option to enable that behavior.

If the supplicant is not configured that strictly, at the end of the day it
does not matter if you rolled your own self-signed RADIUS server cert or you
have a cert with its root CA pre-installed.

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki

15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5939 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080110/91f68fc9/attachment.bin>


More information about the Freeradius-Users mailing list