Real server certificate for PEAP
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 2 17:22:01 CEST 2013
On 02/04/2013 15:22, Rudolf Henze wrote:
> Hi,
> Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and
> mschapv2 and LDAP-authentification.
> Ive copied my CA-Certificate to all clients to be sure that Iam using
> really the right network and not a fake SSID.
>
> But this is a little inconvenient. Is it possible to use a "real"
> certificate. What do I bear in mind for that?
Several things:
First, anyone can get certs from public CAs, so you should ensure that
your client is a) validating the server cert against the specific CA and
b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing
and credential capture. Note that some platforms (Android?) can't
validate cert CN, so can't be made secure.
Second, your cert will need to have the right OIDs and such. If you want
it to be "hassle free" deployment, it'll need to be from a CA widely
trusted by your client base, and ideally one that's easy to identify -
specifically easy to pick from the "validate cert" list. Verisign have
been bad at this - they've got lots of certs with "friendly" names all
starting "VeriSign Class 3" which get truncated on narrow (mobile)
screens. Guess the cert!
Third, note that commercial CAs have a nasty habit of rotating their
intermediate and top-level certs far more often than you would expect.
We're in the irritating position of having a public cert (to avoid the
deployment nightmare of a private cert on >10k unmanaged devices) and
Verisign have just changed their root cert, despite it having 7 more
years to run. So, all of those clients now have to re-trust the cert.
Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods
are the only vaguely usable ones.
More information about the Freeradius-Users
mailing list