On Mon, 1 Aug 2005, jck-freeradius@southwestern.edu wrote:
I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate.
I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign.
Hi, In an 802.1x context, it is best to use certs from a self-signed CA, rather than a well-known CA (such as Verisign). This is because an attacker could dupe your users' supplicants by acquiring a certificate from the same CA that you trust (ie. Verisign), and install a rogue WAP near your premises to steal inner-tunnel credentials. There is a solution, and this is to get the supplicant to verify certain attributes within the server cert. However, I am aware of only one supplicant that can do this: Funk's Odyssey. FWIW, even Funk recommend using a self-signed CA. Evidentally, you'll need to distribute the CA's root certificate to your users. josh.