using SSL certs with EAP-TLS
Wouter
radius at occult.nl
Mon Apr 4 11:19:20 CEST 2016
Goodday,
In my FreeRadius setup for authenticating WiFi devices with EAP-TLS, I
use server- and client SSL certificates from CA provider ' X '. I
understand that now everyone with knowledge of this fact, can get a
client SSL cert (PKCS#12) from this CA provider X and can authenticate
with my WPA2 Enterprise network.
After reading the following from the README:
"In general, you should use self-signed certificates for 802.1x (EAP)
authentication. When you list root CAs from other organisations in
the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS."
I would like to ask the following question. Is there something I can
configure on the server side that only certain CommonName's and/or
serial's can be used to authenticate correctly?
Next to this question, I wonder why also a username (Benutzername) is
asked in iOS when we use EAP-TLS with a certificate? I can fill out this
field with whatever string and it authenticates in FreeRadius (when a
correct cert is presented of course).
screenshot:
https://hilfe.uni-paderborn.de/images/thumb/4/4f/Eduroam_iOS7_04.png/250px-Eduroam_iOS7_04.png
I run version 3.0.11 on Ubuntu 14.04 LTS 64bit.
Thank you
More information about the Freeradius-Users
mailing list