Real server certificate for PEAP
Muhammad Nuzaihan Kamal Luddin
muhammad at taqisystems.com
Wed Apr 3 06:32:53 CEST 2013
You will need to purchase a Unified Communications certificate from a
To generate the CSR, here is the guide:
Muhammad Nuzaihan Bin Kamal Luddin
On Tue, 2013-04-02 at 16:22 +0100, Phil Mayers wrote:
> On 02/04/2013 15:22, Rudolf Henze wrote:
> > Hi,
> > Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and
> > mschapv2 and LDAP-authentification.
> > Ive copied my CA-Certificate to all clients to be sure that Iam using
> > really the right network and not a fake SSID.
> > But this is a little inconvenient. Is it possible to use a "real"
> > certificate. What do I bear in mind for that?
> Several things:
> First, anyone can get certs from public CAs, so you should ensure that
> your client is a) validating the server cert against the specific CA and
> b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing
> and credential capture. Note that some platforms (Android?) can't
> validate cert CN, so can't be made secure.
> Second, your cert will need to have the right OIDs and such. If you want
> it to be "hassle free" deployment, it'll need to be from a CA widely
> trusted by your client base, and ideally one that's easy to identify -
> specifically easy to pick from the "validate cert" list. Verisign have
> been bad at this - they've got lots of certs with "friendly" names all
> starting "VeriSign Class 3" which get truncated on narrow (mobile)
> screens. Guess the cert!
> Third, note that commercial CAs have a nasty habit of rotating their
> intermediate and top-level certs far more often than you would expect.
> We're in the irritating position of having a public cert (to avoid the
> deployment nightmare of a private cert on >10k unmanaged devices) and
> Verisign have just changed their root cert, despite it having 7 more
> years to run. So, all of those clients now have to re-trust the cert.
> Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods
> are the only vaguely usable ones.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users