EAP + SSL + Certificate chains

Brian Julin BJulin at clarku.edu
Thu Sep 12 19:50:03 CEST 2013

> Trevor Jennings wrote:
>  We are using freeradius with EAP/SSL and although it is working fine, I was
> wondering if there was a way to prevent the user from getting the prompt to
> accept the certificate? I have combined the intermediate and server
> certificates to one file and used that file in the 'certificate_file' config in
> eap.conf.
> On OSX, the certificates are marked as valid, including the root, intermediate
> and server, but still prompts the user to accept. Is there a way around this?

About the only way I can think of is to install a profile (.mobileconfig) which
pre-approves the use of that certificate authority.  Reason being, if you just
accept any old certificate authority any compromised certificate will work, and
on newer OSX/iOS the only way to check the certificate subject for the name
of your RADIUS server. which is a better option for patching the hole, is to install
a profile, anyway.  So really, this means without prompting the user, any stolen
key for any unrevoked certificate from any CA in that entire list, worldwide, could
be used to launch a MITM attack and steal passwords or other data.  This is not
a particularly difficult object to get your hands on.

(Incidentally this is why many environments do not like having Android devices
on their wireless LANs since they don't have any such native options accessible
from the UI or even a decent way to distribute profiles.  Heck they don't even
fake it by making the first certificate they see sticky.  The first time warez to
perform an MITM on WPA2-Enterprise is packaged in a way that any old
script kiddie can use, there will be pain.)

Brian Julin
Network Administrator
Clark University

More information about the Freeradius-Users mailing list