iOS mysterious issues on Freeradius 3.0.14

Matthew Newton mcn4 at leicester.ac.uk
Thu Mar 23 11:50:43 CET 2017


On Thu, Mar 23, 2017 at 09:29:54AM +0000, Peter Hutchison wrote:
> With PEAP you should *always* use Publicly recognised TLS/SSL
> certificates, preferably with a well-known CA source or one that
> your University supports.

That's certainly not the recommended practise that's ever
normally given here.

All RADIUS certificates should be based on private CA
infrastructure where possible for the best security.

> Also it should be at least 2048 bits and uses the SHA256 hash
> algorithm, SHA1 should be phased out.

This is better advice.

> For example, we use JISC service which uses Quo Vadis CA. Do not
> use self-signed or internal CA certificates.

No. Use an internal CA with installers (such as eduroam CAT)
to push the config and root CA to the devices.

You might find a public CA the right balance between convenience
and security for yourselves, and many people do, but it's not
the correct advice for a secure network.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list