windows users having trouble authenticating
Alan DeKok
aland at deployingradius.com
Tue Aug 3 20:13:09 CEST 2010
John Dennis wrote:
> On 08/03/2010 01:30 PM, Alan DeKok wrote:
>> Using a known root CA for RADIUS authentication isn't really
>> recommended.
>
> Why?
>
> P.S. just to clarify, it's not "using a known root CA for
> RADIUS authentication", rather it's using a server cert signed by a
> known root CA.
Sure.
It's because *anyone* can set up an AP, and a RADIUS server that your
PC will accept. If the AP has the same SSID as (say) your work, it will
happily send your work username && login via EAP to the rogue AP.
The various EAP methods *should* have tied usernames (i.e. domains) to
a field in the certificate. e.g. a cert with CN "radius at example.com"
should be sent logins for "user at example.com", but NEVER sent logins for
"user at example.net"
You should ONLY send your login credentials when you *know* who it is
on the other end of the EAP conversation.
Alan DeKok.
More information about the Freeradius-Users
mailing list