WPA Certificate Question
A.L.M.Buxey at lboro.ac.uk
Sun Jan 31 18:43:11 CET 2010
> But I don't plan on distributing client certificates for authentication. I
> intend for them to login with a username and password checked against my
> Radius server, so I'm not sure what role the certificate plays in that
the certificate is for the RADIUS server - this will let your clients
know that they really are establishing a RADIUS authentication for a server
they can verify.
ie myCA signs the RADIUS server, the client then has the myCA cert installed
and is configured to check the RADIUS server eg radius.my.org and validate
that against the server.
in this case, you will need the myCA CA cert installed on the client.
why do this? so that you can verify and validate the RADIUS server - if you
dont, then a man-in-the-middle attack could be accomplished and then
you'll be sending usernames and passwords to that 3rd party server. very nice
for Mr Cracker.
why use your own CA? well, in the case of EAP-TLS, this gives extra
security... but even in the case of EAP-TTLS or EAP-PEAP - if the RADIUS
server is signed by eg Verisign, then ANYONE can get a verisign certificate
with some cash.... eg
and then they can attempt a man-in-middle.... okay, if the client is
secured properly, then it wont talk to radius.fake.org because its been
asked to validate the RADIUS server....but if it hasnt been configured
properly, then the client will happily talk to radius.fae.org - because it
has the Verisign CA installed and will validate that all is okay.
how often is this a worry? I'm afraid, after looking at man sites 'how to
configure your client' , the 'validate cert' stage is often overlooked,
ignored...or even worse...people are told NOT TO (probably because the
site havent got their RADIUS configured correctly, cant handle the
SSL stuff properly or have chosen the self-sign CA and havent got around
to ways of deploying that client :-( )
More information about the Freeradius-Users