Double check of sanity with PEAP setup
Hey all, I just want to double check that I am doing something correctly as I set up our new radius servers. We currently use PEAP to auth our wireless. My question is about doing the certificates correctly on the new radius servers. We currently use a Global CA cert in the TLS section but everywhere says not to in the config files. I'm confused as to why for PEAP, as we have to have a CA signed cert for all the user devices to not throw a "could not verify cert" creating the TLS tunnel before EAP. Clients installing a cert is a non-starter....there is no way with the amount of visitors. So is a CA signed TLS cert correct for PEAP auth or am I not understanding something in the documentation? I just want to make sure I do this correctly and do not have some giant gaping security hole. Thanks, Adam Taylor
Hi Adam. Clients installing a cert is a non-starter....there is no way with the
amount of visitors.
I hope you are not talking about eduroam, and eduroam visitors.
So is a CA signed TLS cert correct for PEAP auth or am I not understanding something in the documentation?
The question you should be asking yourself is: Are you sure that your users' supplicants are checking the server cert Subject? Could they be fooled by any cert signed under the same CA certificate? Regards, Alberto
So I don't dup the messages for this chain: Alberto, Yup! That is why we are redoing our Freeradius servers, adding redundancy, and getting them off our, ahem...Solaris boxes..... We never required the suffix part of the user names before....but kinda required for Eduroam. So we figured a clean install/config would do us some good. Alan, Thanks for the explanation. I do appreciate it. I was just hoping to find a way that client iOS devices would not have to click the "trust cert" the first time they connect. Windows doesn't seem to care...but we stress to the students not to click things that look odd and ask first. But they are always asking about that trust screen the first time they connect. If there is a better way to handle thousands of BYODs you know of without some complicated registration process...I'm all ears!! Our upper admins want simple and secure...which I try to tell them don't really go together sometimes... Thanks, Adam Taylor -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+ataylor=ulm.edu@lists.freeradius.org] On Behalf Of Alberto Martínez Setién via Freeradius-Users Sent: Friday, December 13, 2019 3:42 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Alberto Martínez Setién <alberto.martinez@deusto.es> Subject: Re: Double check of sanity with PEAP setup Hi Adam. Clients installing a cert is a non-starter....there is no way with the
amount of visitors.
I hope you are not talking about eduroam, and eduroam visitors.
So is a CA signed TLS cert correct for PEAP auth or am I not understanding something in the documentation?
The question you should be asking yourself is: Are you sure that your users' supplicants are checking the server cert Subject? Could they be fooled by any cert signed under the same CA certificate? Regards, Alberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sun, 2019-12-15 at 16:52 +0000, Adam Taylor wrote:
If there is a better way to handle thousands of BYODs you know of without some complicated registration process...I'm all ears!! Our upper admins want simple and secure...which I try to tell them don't really go together sometimes...
Take a look at https://cat.eduroam.org/ ? -- Matthew
On 15.12.19 18:40, Matthew Newton wrote:
On Sun, 2019-12-15 at 16:52 +0000, Adam Taylor wrote:
If there is a better way to handle thousands of BYODs you know of without some complicated registration process...I'm all ears!! Our upper admins want simple and secure...which I try to tell them don't really go together sometimes...
Take a look at https://cat.eduroam.org/ ?
I can't stress this enough: Adam, just migrate your end-user configuration to cat.eduroam.org. We did the same and it really really reduced the burdon on our 1st level support. Grüße, Sven.
On Dec 12, 2019, at 5:55 PM, Adam Taylor <ataylor@ulm.edu> wrote:
We currently use PEAP to auth our wireless. My question is about doing the certificates correctly on the new radius servers. We currently use a Global CA cert in the TLS section but everywhere says not to in the config files. I'm confused as to why for PEAP, as we have to have a CA signed cert for all the user devices to not throw a "could not verify cert" creating the TLS tunnel before EAP. Clients installing a cert is a non-starter....there is no way with the amount of visitors.
Clients have to do *something*. Every client system defaults to not allowing any CA for EAP. Including "known root" CAs which are allowed by default for web surfing. This is for security. With EAP, you are sending your credentials to the other end. Which means you need to know that it really is trusted. And, it's the end you want to send credentials to. In contrast, with WWW, the other end is sending data to you. Which means that if the site has the correct certificates, it *must* be the correct data. And, you don't really care what that data is. So... you *still* have to have clients edit their configuration, in order to use a particular SSID with a particular root CA.
So is a CA signed TLS cert correct for PEAP auth or am I not understanding something in the documentation?
The documentation is largely left over from before client systems did certificate pinning. What used to happen is that when the client trusted a root CA, they would then trust *any* server cert signed by that root CA. Which meant that anyone could get a root CA, publish an SSID, and then start grabbing EAP credentials. Client systems now do certificate pinning. When they first authenticate, they save a copy of the server certificate. If that certificate changes, the clients either complain, or refuse to continue. The only way to avoid that was to trust a root CA which was under your control. i.e. so you could be sure that no one else ever was issued a server cert.
I just want to make sure I do this correctly and do not have some giant gaping security hole.
You don't. Clients have a gaping security hole because they will randomly trust / allow any root CA. Which is why those should be preconfigured. There has been discussion in the IETF about addressing some of the remaining security issues with 802.1X / EAP. Many of which are UI / usability issues. But there is also significant resistance to fixing things, for reasons which are unclear to me. Alan DeKok.
participants (5)
-
Adam Taylor -
Alan DeKok -
Alberto Martínez Setién -
Matthew Newton -
Sven Hartge