How to enable only EAP-TTLS type and not EAP-TLS?
Alan DeKok
aland at deployingradius.com
Thu Jan 10 13:57:43 CET 2008
Reimer Karlsen-Masur, DFN-CERT wrote:
> Whereas IMO the SSL cert of the RADIUS server should be issued by a CA which
> has its root CA certificate preinstalled in the standard certificate stores...
No. You are saying that the supplicant should trust those root CA's
for ALL authentication.
i.e. you have a certificate for "example.com", signed by Verisign.
The supplicant is configured to trust the verisign-signed certificates,
because that's what you have.
Now *anyone* who is issued a certificate from verisign can
authenticate your users. If your users are using EAP-TTLS with PAP
authentication, you've just convinced them to send their clear-text
password to some random person on the Internet.
RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That
means that no one else can successfully convince the users to send them
the passwords.
Alan DeKok.
More information about the Freeradius-Users
mailing list