XP supplicant and Secure Cerficate acceptance

Josh Howlett Josh.Howlett at bristol.ac.uk
Tue Aug 2 00:02:50 CEST 2005


On Mon, 1 Aug 2005, David Mitton wrote:

> I think your terminology is incorrect.

Yes. It's late :-)

> I know for a fact that Funk's software will not accept a self-signed cert.
> That is a certificate not signed by another CA.
>
> What I think you meant, was a having your own private trusted CA root. 
> Where the server and client certs are signed by it. And, yes, in that 
> configuration you have to install the cert for that CA on the clients, 
> if you want them to verify the server cert.

That's correct.

josh.

> If you can provide me a pointer to the Funk documentation that 
> recommends what you suggest, I would appreciate it.
>
> Dave.
>
> ----- Original Message -----
> From: "Josh Howlett" <Josh.Howlett at bristol.ac.uk>
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Subject: Re: XP supplicant and Secure Cerficate acceptance
> Date: Mon, 1 Aug 2005 21:53:16 +0100 (BST)
>
>>
>> On Mon, 1 Aug 2005, jck-freeradius at southwestern.edu wrote:
>>
>>> I am running FreeRadius 1.0.4 and using XP supplicants.  My problem
>>> is after authenticating against FreeRadius, XP asks me to OK
>>> the server certificate.
>>>
>>> I do not want to manually validate the server certificate.  XP should be able
>>> to validte the certificate by itself, as long as the cert has been issued by
>>> a valid Certificate Authority.  I have tried using certs from DigiCert and
>>> Verisign.
>>
>> Hi,
>>
>> In an 802.1x context, it is best to use certs from a self-signed CA, rather
>> than a well-known CA (such as Verisign).
>>
>> This is because an attacker could dupe your users' supplicants by acquiring a
>> certificate from the same CA that you trust (ie. Verisign), and install a
>> rogue WAP near your premises to steal inner-tunnel credentials.
>>
>> There is a solution, and this is to get the supplicant to verify certain
>> attributes within the server cert. However, I am aware of only one supplicant
>> that can do this: Funk's Odyssey. FWIW, even Funk recommend using a
>> self-signed CA.
>>
>> Evidentally, you'll need to distribute the CA's root certificate to your users.
>>
>> josh.
>>
>>
>> - List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

------------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: josh.howlett at bris.ac.uk
------------------------------------------------------------



More information about the Freeradius-Users mailing list