Troubleshooting EAP-TLS with External Certificates

Alan Buxey A.L.M.Buxey at
Thu Aug 25 19:36:31 CEST 2016

For 802.1X is a closed loop system. Only those clients authing against you should trust you, this they can be configured to trust you. ..knowing your CA. If you use a public CA then anyone else can get a cert signed by that CA for small change,  they can then do eg evil twin etc attacks and badly configured clients will auth against them. ..thus giving them the users password (or easily cloud cracked mschap challenge/response)... many clients have basic only trust the CA. So local CA is the one way to ensure lowest common denominator is secure.  Couple this with other things - eg if you use a public CA you are a slave to THEIR server timeframes, policies etc. If that root becomes intermediate or the CA gets revoked by the OS your service is hosed.  Also there are requirements/flags in the root CA and server CA for RADIUS clients. ....and several clients do not work with wildcard server certs in RADIUS land
(Note, you don't need a cert per RADIUS server either if its the same service)

Don't just take my word for it,  its Best Common Practice to not use public CAs - ask one of the main RADIUS RFC authors ;)


More information about the Freeradius-Users mailing list