How to enable only EAP-TTLS type and not EAP-TLS?
Stefan Winter
stefan.winter at restena.lu
Thu Jan 10 14:10:26 CET 2008
> No. You are saying that the supplicant should trust those root CA's
> for ALL authentication.
>
> i.e. you have a certificate for "example.com", signed by Verisign.
> The supplicant is configured to trust the verisign-signed certificates,
> because that's what you have.
>
> Now *anyone* who is issued a certificate from verisign can
> authenticate your users. If your users are using EAP-TTLS with PAP
> authentication, you've just convinced them to send their clear-text
> password to some random person on the Internet.
>
> RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That
> means that no one else can successfully convince the users to send them
> the passwords.
I definitely second that. We keep telling our eduroam participants that
well-known CAs are not only no plus, but instead MAY introduce insecurity
(properly configured supplicants also check the CN in the certificate, which
makes the risk go away; still, if a user forgets that, recognised CAs
introduce a threat while self-signed ones don't).
Either self-signed certs or at least dedicated CAs for the specific purpose of
RADIUS Auth are the best practice.
Some people which are in possession of a cert-store-present (read:
browser-recognised) CA think it solves all problems whatsoever. They have a
hard time laerning that it can actually be a hindrance, but it is a lesson
everyone who is really concerned about security should learn at some point.
Greetings,
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080110/608a3885/attachment.pgp>
More information about the Freeradius-Users
mailing list