Help for buy a real Cert (not self-signed)

Brian Candler b.candler at pobox.com
Wed Feb 1 12:43:30 CET 2017


On 01/02/2017 10:01, Spider s wrote:
> Hello, thank you for you advise, but the problem is that i use active
> directory for auth, but olds printers and AP cant install the certs.
Access Points don't have, or even check, certificates. The certificate 
goes in the RADIUS server and the EAP messages are forwarded end-to-end:

client <----------> access point <-----------> RADIUS
        < . . . . . . EAP request . . . . . . > server

So there's zero problem with old APs.

I'm not sure what you mean by printers in this context. Why would it 
need a certificate?

Are you saying that you have a wireless printer, which *does* support 
WPA-Enterprise with EAP-PEAP/MSCHAPv2 for wireless access, but has a 
hard-coded set of root certificates??

I have never seen such a printer. I'd guess it's probably insecure 
anyway and doesn't check the root certificate at all. Try it.

And if it doesn't work, connect it with an ethernet cable instead.

>   I need
> a solution for the users and dont need install the cert if possible.
Your users will be able to connect without the cert; they'll just click 
through a few prompts. But it will be totally insecure.

Using a certificate from a trusted CA *doesn't help*, because they'll 
still have to click through a bunch of prompts in order to connect, and 
they won't be able to distinguish your signed cert from someone else's 
signed cert.

For example, say I legitimately own the domain "evil.com". I buy a 
certificate for "wireless.evil.com". I set up an access point with your 
SSID. Your clients attach to it, and they will happily send me their 
passwords, and I will happily man-in-the-middle all their network traffic.

They will only refuse to talk to my evil access point if either:

1. They have been configured to recognise only a specific named 
certificate, e.g. "wireless.yourdomain.com". This requires explicit 
configuration. Or:

2. They have been configured only to accept a certificate signed by a 
private CA which you have set up. This requires explicit configuration.

In both cases, it's only secure if you do the explicit configuration, 
which means creating a profile which you load into their device. So you 
may as well learn how to do it.

Option 1 is not available for Android and Linux clients. So you are 
forced to option 2.

>   
>
> I am not lazy to install certs, is a problem for easy usage of users and
> full compatibility.

I know what you mean, I wish this was sane - it would be great if 
everyone used FQDNs for SSIDs, and clients matched the SSID to the 
certificate identity.

Unfortunately, it's not sane. Welcome to the real world.

Regards,

Brian.


More information about the Freeradius-Users mailing list