using SSL certs with EAP-TLS

Stefan Winter stefan.winter at restena.lu
Wed Apr 6 09:31:11 CEST 2016


Hi,

>> No. If your server certificate is from a CA, the client can verify that
>> your server is genuine (if the client side is configured correctly to
>> actually check CA and server name).
> With using client: you mean the RADIUS explanation of client? Like the
> Access Point? or the WLAN device, like a smartphone?

In this context, I meant the WLAN device.

>> Since there's no need to go down that route: don't. Issue client
>> certificates from your own self-signed CA, and hand out client certs
>> only to your own account holders. Then, no further checks are needed.
> Ok, thanks. I will reconsider. It's not that I am too lame to generate
> new certs and then import them to a handful devices. It's more that I
> like it that the same client cert in iOS can be used for S/MIME and for
> auth with WPA2 Enterprise.

Ah, well that's a reason for using a commercial CA for the client certs
indeed. As others have pointed out, attributes like TLS-Client-Cert-CN
can be used to compare the cert name against a list of known-good names.
Of course you'll have to manage that list of names yourself in config;
on a scale of "handful" that's not a problem I guess. But on a larger
scale, it will get bothersome.

Greetings,

Stefan Winter

>
>> Yes. There are examples in the shipped tarball of FreeRADIUS for that I
>> think. That does not mean that it's the best idea to go down that route.
> I'll look into that (I think it has something to do with the by Alan
> suggested check_cert_cn).
>
>> When you write above that you can use whatever string you like then
>> probably you didn't try this at a remote hotspot. :-)
> Thats correct :D. In fact, last week was the first time I experienced
> WPA2 Enterprise and only with one (my own) AP.
>
> Cheers!
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160406/be5be68f/attachment.sig>


More information about the Freeradius-Users mailing list