How to avoid EAP-TLS login on commercial CA's?
Hello FreeRadius masters, We're planning to use EAP-TTLS with a commercial certificate on freeradius-3.0.4. We do not want any "client certificate" signed by this commercial big CA to log in. Of course, I saw the warning: /etc/raddb/mod-enabled/eap # Note that you should NOT use a globally known CA here! # e.g. using a Verisign cert as a "known CA" means that # ANYONE who has a certificate signed by them can # authenticate via EAP-TLS! This is likely not what you want. But, there's any simple way to forbid globally any CA 'valid client certificate', a part of not using the commercial CA?? Regards.
On Thu, Jun 29, 2017 at 05:00:58PM +0200, Ramon Escriba wrote:
We're planning to use EAP-TTLS with a commercial certificate on freeradius-3.0.4.
Start on 3.0.14, not 3.0.4. It's old and buggy.
We do not want any "client certificate" signed by this commercial big CA to log in.
Right.
But, there's any simple way to forbid globally any CA 'valid client certificate', a part of not using the commercial CA??
I assume you mean EAP-TLS as in the subject, not EAP-TTLS. In which case definitely only use a private CA. Even if it's EAP-TTLS you should still use a private CA for security to stop the possibility of credentials being leaked. -- Matthew
Even if it's EAP-TTLS you should still use a private CA for security to stop the possibility of credentials being leaked.
-- Matthew
That's a good point! Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dear Timo, We do not use certificates for login. Just login+password. Regards. -----Original Message----- From: Timo Buhrmester [mailto:timo.buhrmester@fhr.fraunhofer.de] Sent: jueves, 29 de junio de 2017 17:09 To: Ramon Escriba Cc: FreeRadius users mailing list Subject: Re: How to avoid EAP-TLS login on commercial CA's?
We do not want any "client certificate" signed by this commercial big CA to log in. What about your own/legitimate clients? Won't they be provided with a client cert signed by that CA?
On Jun 29, 2017, at 11:00 AM, Ramon Escriba <escriba@cells.es> wrote:
We're planning to use EAP-TTLS with a commercial certificate on freeradius-3.0.4.
But, there's any simple way to forbid globally any CA 'valid client certificate', a part of not using the commercial CA??
You can disable the "tls" sub-module in EAP. See raddb/mods-available/eap. They can still use client certificates with PEAP or TTLS, but you will still be checking passwords, so that doesn't matter as much. Alan DeKok.
participants (4)
-
Alan DeKok -
Matthew Newton -
Ramon Escriba -
Timo Buhrmester