How can I force the CA validation on a EAP-TTLS configuration. If in my Windows-Supplicant software I select the CA validation, it works. But if remove it, and I use only the User-Credentials Authentication part... it works also. I would like to force that the CA certification Authentication part must be mandatory also. (I'm using windows-supplicant software with EAP-TTLS method) Thanks in advance, Swatzy.
Fernando Calvelo Vazquez <fernando.calvelo@esrf.fr> wrote:
How can I force the CA validation on a EAP-TTLS configuration. If in my Windows-Supplicant software I select the CA validation, it works. But if remove it, and I use only the User-Credentials Authentication part... it works also. I would like to force that the CA certification Authentication part must be mandatory also.
(I'm using windows-supplicant software with EAP-TTLS method) Thanks in advance,
You cannot, this is a client side issue. It is an identical situation to connecting to 'secure' websites, the secure website cannot do anything to prevent the user overriding and accepting an expired/invalid cert when connecting to their site. It's one of the reasons we use SecureW2 as it lets you 'script' this cert validation[1]. This is great for situations where you do not administratively control the connecting workstations (like in a university) however if this is a company where you have admin rights to all the machines they probably are part of an AD domain and so you can set up a GPO (or whatever it is called) to do this for you instead. Cheers [1] I hope you are also validating the subject line, otherwise you are making the CA validation (for commerically signed certs) pointless -- Alexander Clouter .sigmonster says: I wonder if I should put myself in ESCROW!!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fernando Calvelo Vazquez wrote:
How can I force the CA validation on a EAP-TTLS configuration. If in my Windows-Supplicant software I select the CA validation, it works. But if remove it, and I use only the User-Credentials Authentication part... it works also. I would like to force that the CA certification Authentication part must be mandatory also.
Use EAP-TLS. It requires client-side certificate. Kind regards, - -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLDm9UAAoJEAinxibr2rgG/PMIAKpMnoFhDRECRyK1lywIaVD/ mVwrbDRwIBNYE8/YGPZF3Xq7ZZCWkFQALU6Pk7drnzHU5yWRYPbNugkPw3I4Ps8D voAU2WxDUAa4rxW4dEG/6QeimUPPp/fN3dYf336ww+j/7Zd5TgYdWsFah37rbksF 3WzaIen69RsmHZMSJo2Jt0ujJfzEWYTFdvIGZF76kqUXor+P7Lm4fONJmUBSVZiA eImBj7m8c2TdPBMmwyl9iO6+sf6k8ivU79q7INeA5lV+JKclp2hw3Dd/rhWp5Ff9 rcj3fdTpvMEHZk/8QHf8vc0LYo/ZJ1+BY2K23Pa4ya0F9bfRuO0VAfn+teMqKSY= =wNt4 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Fernando Calvelo Vazquez wrote:
How can I force the CA validation on a EAP-TTLS configuration. If in my Windows-Supplicant software I select the CA validation, it works. But if remove it, and I use only the User-Credentials Authentication part... it works also. I would like to force that the CA certification Authentication part must be mandatory also.
Use EAP-TLS. It requires client-side certificate.
You can avoid CA validation for EAP-TLS in the same way. Ivan Kalik
participants (4)
-
Alexander Clouter -
Fernando Calvelo Vazquez -
Lech Karol Pawłaszek -
tnt@kalik.net