I think your terminology is incorrect. I know for a fact that Funk's software will not accept a self-signed cert. That is a certificate not signed by another CA. What I think you meant, was a having your own private trusted CA root. Where the server and client certs are signed by it. And, yes, in that configuration you have to install the cert for that CA on the clients, if you want them to verify the server cert. If you can provide me a pointer to the Funk documentation that recommends what you suggest, I would appreciate it. Dave. ----- Original Message ----- From: "Josh Howlett" To: "FreeRadius users mailing list" Subject: Re: XP supplicant and Secure Cerficate acceptance Date: Mon, 1 Aug 2005 21:53:16 +0100 (BST) > > On Mon, 1 Aug 2005, jck-freeradius@southwestern.edu wrote: > > > I am running FreeRadius 1.0.4 and using XP supplicants. My problem > > is after authenticating against FreeRadius, XP asks me to OK > > the server certificate. > > > > I do not want to manually validate the server certificate. XP should be able > > to validte the certificate by itself, as long as the cert has been issued by > > a valid Certificate Authority. I have tried using certs from DigiCert and > > Verisign. > > Hi, > > In an 802.1x context, it is best to use certs from a self-signed CA, rather > than a well-known CA (such as Verisign). > > This is because an attacker could dupe your users' supplicants by acquiring a > certificate from the same CA that you trust (ie. Verisign), and install a > rogue WAP near your premises to steal inner-tunnel credentials. > > There is a solution, and this is to get the supplicant to verify certain > attributes within the server cert. However, I am aware of only one supplicant > that can do this: Funk's Odyssey. FWIW, even Funk recommend using a > self-signed CA. > > Evidentally, you'll need to distribute the CA's root certificate to your users. > > josh. > > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html