WPA Certificate Question

Fajar A. Nugraha fajar at fajar.net
Sun Jan 31 19:01:21 CET 2010

On Mon, Feb 1, 2010 at 12:43 AM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> why use your own CA?  well, in the case of EAP-TLS, this gives extra
> security... but even in the case of EAP-TTLS or EAP-PEAP - if the RADIUS
> server is signed by eg Verisign, then ANYONE can get a verisign certificate
> with some cash.... eg
> radius.fake.org
> and then they can attempt a man-in-middle.... okay, if the client is
> secured properly, then it wont talk to radius.fake.org because its been
> asked to validate the RADIUS server....but if it hasnt been configured
> properly, then the client will happily talk to radius.fae.org - because it
> has the Verisign CA installed and will validate that all is okay.

Won't the client see the name first, i.e. radius.fake.org in your
example, and they (should) see something wrong?

> how often is this a worry? I'm afraid, after looking at man sites 'how to
> configure your client' , the 'validate cert' stage is often overlooked,
> ignored...or even worse...people are told NOT TO (probably because the
> site havent got their RADIUS configured correctly, cant handle the
> SSL stuff properly or have chosen the self-sign CA and havent got around
> to ways of deploying that client :-( )

Yep, many admins do that :(


More information about the Freeradius-Users mailing list