Real server certificate for PEAP

Muhammad Nuzaihan Kamal Luddin muhammad at taqisystems.com
Wed Apr 3 06:32:53 CEST 2013


Hi,

You will need to purchase a Unified Communications certificate from a
CA. 

To generate the CSR, here is the guide:

http://langui.sh/2009/02/27/creating-a-subjectaltname-sanucc-csr/

Regards,
Muhammad Nuzaihan Bin Kamal Luddin

On Tue, 2013-04-02 at 16:22 +0100, Phil Mayers wrote:
> On 02/04/2013 15:22, Rudolf Henze wrote:
> > Hi,
> > Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and
> > mschapv2 and LDAP-authentification.
> > Ive copied my CA-Certificate to all clients to be sure that Iam using
> > really the right network and not a fake SSID.
> >
> > But this is a little inconvenient. Is it possible to use a "real"
> > certificate. What do I bear in mind for that?
> 
> Several things:
> 
> First, anyone can get certs from public CAs, so you should ensure that 
> your client is a) validating the server cert against the specific CA and 
> b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing 
> and credential capture. Note that some platforms (Android?) can't 
> validate cert CN, so can't be made secure.
> 
> Second, your cert will need to have the right OIDs and such. If you want 
> it to be "hassle free" deployment, it'll need to be from a CA widely 
> trusted by your client base, and ideally one that's easy to identify - 
> specifically easy to pick from the "validate cert" list. Verisign have 
> been bad at this - they've got lots of certs with "friendly" names all 
> starting "VeriSign Class 3" which get truncated on narrow (mobile) 
> screens. Guess the cert!
> 
> Third, note that commercial CAs have a nasty habit of rotating their 
> intermediate and top-level certs far more often than you would expect. 
> We're in the irritating position of having a public cert (to avoid the 
> deployment nightmare of a private cert on >10k unmanaged devices) and 
> Verisign have just changed their root cert, despite it having 7 more 
> years to run. So, all of those clients now have to re-trust the cert.
> 
> Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods 
> are the only vaguely usable ones.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list