using SSL certs with EAP-TLS

Wouter radius at occult.nl
Mon Apr 4 20:56:39 CEST 2016


Hi Stefan,

Thank you for the quick reply.

On 04-04-16 11:45, Stefan Winter wrote:
> No. If your server certificate is from a CA, the client can verify that
> your server is genuine (if the client side is configured correctly to
> actually check CA and server name).

With using client: you mean the RADIUS explanation of client? Like the
Access Point? or the WLAN device, like a smartphone?

> Since there's no need to go down that route: don't. Issue client
> certificates from your own self-signed CA, and hand out client certs
> only to your own account holders. Then, no further checks are needed.

Ok, thanks. I will reconsider. It's not that I am too lame to generate
new certs and then import them to a handful devices. It's more that I
like it that the same client cert in iOS can be used for S/MIME and for
auth with WPA2 Enterprise.

> Yes. There are examples in the shipped tarball of FreeRADIUS for that I
> think. That does not mean that it's the best idea to go down that route.

I'll look into that (I think it has something to do with the by Alan
suggested check_cert_cn).

> When you write above that you can use whatever string you like then
> probably you didn't try this at a remote hotspot. :-)

Thats correct :D. In fact, last week was the first time I experienced
WPA2 Enterprise and only with one (my own) AP.

Cheers!



More information about the Freeradius-Users mailing list