On 15-03-17 11:00, Herman Øie Kolden wrote:
On Wed, Mar 15, 2017 at 09:53:39AM +0100, Bjørn Mork wrote:
In general, you should use self-signed certificates for 802.1x (EAP) authentication. When you list root CAs from other organizations in the "CA_file", you permit them to masquerade as you,
Why is this a concern for EAP, but not for regular web certificates?
Web certificates have a check to see if the dns name matches the certificate. You can do a hostname check with some radius supplicants, but 90% of the people don't use it. This means there is only one check remaining: is this certificate valid according to some certificate authority on this device. This means I can order a certificate for foo.com and use that on a rogue access point inside company Bar. -- Herwin Weststrate