On Mon, Feb 1, 2010 at 12:43 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
why use your own CA? well, in the case of EAP-TLS, this gives extra security... but even in the case of EAP-TTLS or EAP-PEAP - if the RADIUS server is signed by eg Verisign, then ANYONE can get a verisign certificate with some cash.... eg
radius.fake.org
and then they can attempt a man-in-middle.... okay, if the client is secured properly, then it wont talk to radius.fake.org because its been asked to validate the RADIUS server....but if it hasnt been configured properly, then the client will happily talk to radius.fae.org - because it has the Verisign CA installed and will validate that all is okay.
Won't the client see the name first, i.e. radius.fake.org in your example, and they (should) see something wrong?
how often is this a worry? I'm afraid, after looking at man sites 'how to configure your client' , the 'validate cert' stage is often overlooked, ignored...or even worse...people are told NOT TO (probably because the site havent got their RADIUS configured correctly, cant handle the SSL stuff properly or have chosen the self-sign CA and havent got around to ways of deploying that client :-( )
Yep, many admins do that :( -- Fajar