Re: How to enable only EAP-TTLS type and not EAP-TLS?
Reimer Karlsen-Masur, DFN-CERT wrote:
> Whereas IMO the SSL cert of the RADIUS server should be issued by a CA which
> has its root CA certificate preinstalled in the standard certificate stores...
No. You are saying that the supplicant should trust those root CA's
for ALL authentication.
i.e. you have a certificate for "example.com", signed by Verisign.
The supplicant is configured to trust the verisign-signed certificates,
because that's what you have.
Now *anyone* who is issued a certificate from verisign can
authenticate your users. If your users are using EAP-TTLS with PAP
authentication, you've just convinced them to send their clear-text
password to some random person on the Internet.
RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That
means that no one else can successfully convince the users to send them
the passwords.
Alan DeKok.
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.