TTLS+PAP with Windows
Michael Ströder
michael at stroeder.com
Wed Mar 15 19:24:11 CET 2017
Bjørn Mork wrote:
> Herman Øie Kolden <herman at samfundet.no> writes:
>> On Tue, Mar 14, 2017 at 07:12:28PM -0400, Alan DeKok wrote:
>>
>>> I don't recommend using public CAs for WiFi authentication. It's insecure.
>>
>> Interesting. Would you mind explaining why?
>
> /usr/share/doc/freeradius/examples/certs/README in the Debian package
> says
>
> In general, you should use self-signed certificates for 802.1x
> (EAP) authentication. When you list root CAs from other
> organizations in the "CA_file", you permit them to masquerade as
> you, to authenticate your users, and to issue client certificates
> for EAP-TLS.
Strictly speaking a self-signed certificate is a public-key certificate signed by the
private key of the very same key pair (and not by another entity's private key).
So while I fully agree with the statement above the term "self-signed certificate" is
wrong. It should clearly say that you should run your own single-purpose EAP CA and
distribute the EAP CA's public-key certificate in all your client configurations.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170315/80483ef4/attachment.bin>
More information about the Freeradius-Users
mailing list