XP supplicant and Secure Cerficate acceptance
I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate. I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign. Does anyone else see this same problem? How can this step be automated so that my users are not requried this additional click? --johnk
On Mon, 1 Aug 2005, jck-freeradius@southwestern.edu wrote:
I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate.
I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign.
Hi, In an 802.1x context, it is best to use certs from a self-signed CA, rather than a well-known CA (such as Verisign). This is because an attacker could dupe your users' supplicants by acquiring a certificate from the same CA that you trust (ie. Verisign), and install a rogue WAP near your premises to steal inner-tunnel credentials. There is a solution, and this is to get the supplicant to verify certain attributes within the server cert. However, I am aware of only one supplicant that can do this: Funk's Odyssey. FWIW, even Funk recommend using a self-signed CA. Evidentally, you'll need to distribute the CA's root certificate to your users. josh.
On Monday 01 August 2005 16:37, jck-freeradius@southwestern.edu wrote:
I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate.
I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign.
Does anyone else see this same problem? How can this step be automated so that my users are not requried this additional click?
On the XP machines you can either uncheck the "Validate server certificate" in the EAP properties (not recommended) or you can specify the trusted root certificate that you are using (check the box in the list) and the RADIUS server names. The validation is not a big deal and you only have to do it once unless you are wiping the eapinfo from the registry on shutdown. Zoltan Ori
participants (3)
-
jck-freeradiusï¼ southwestern.edu -
Josh Howlett -
Zoltan Ori