XP supplicant and Secure Cerficate acceptance
Josh Howlett
Josh.Howlett at bristol.ac.uk
Mon Aug 1 22:53:16 CEST 2005
On Mon, 1 Aug 2005, jck-freeradius at southwestern.edu wrote:
> I am running FreeRadius 1.0.4 and using XP supplicants. My problem
> is after authenticating against FreeRadius, XP asks me to OK
> the server certificate.
>
> I do not want to manually validate the server certificate. XP should be able
> to validte the certificate by itself, as long as the cert has been issued by
> a valid Certificate Authority. I have tried using certs from DigiCert and
> Verisign.
Hi,
In an 802.1x context, it is best to use certs from a self-signed CA,
rather than a well-known CA (such as Verisign).
This is because an attacker could dupe your users' supplicants by
acquiring a certificate from the same CA that you trust (ie. Verisign),
and install a rogue WAP near your premises to steal inner-tunnel
credentials.
There is a solution, and this is to get the supplicant to verify certain
attributes within the server cert. However, I am aware of only one
supplicant that can do this: Funk's Odyssey. FWIW, even Funk recommend
using a self-signed CA.
Evidentally, you'll need to distribute the CA's root certificate to your
users.
josh.
More information about the Freeradius-Users
mailing list