15 Mar
2017
15 Mar
'17
2:26 p.m.
Herwin Weststrate wrote:
On 15-03-17 11:00, Herman Øie Kolden wrote:
On Wed, Mar 15, 2017 at 09:53:39AM +0100, Bjørn Mork wrote:
In general, you should use self-signed certificates for 802.1x (EAP) authentication. When you list root CAs from other organizations in the "CA_file", you permit them to masquerade as you,
Why is this a concern for EAP, but not for regular web certificates?
Web certificates have a check to see if the dns name matches the certificate. You can do a hostname check with some radius supplicants, but 90% of the people don't use it.
Especially since AFAIK a TLS name-based server identity check like defined in RFC 6125 for various other protocols is not yet clearly defined for RADIUS with EAP. Ciao, Michael.