Server certificate and clients (eap-tls) certificate
Nathan Ward
lists+freeradius at daork.net
Tue Dec 12 04:43:04 CET 2017
> On 12/12/2017, at 4:26 PM, work vlpl <thework.vlpl at gmail.com> wrote:
>
> On 12 December 2017 at 08:36, Nathan Ward <lists+freeradius at daork.net> wrote:
>>
>> https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/certs/README <https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/certs/README>
>>
>> Line 26 onwards:
>> In general, you should use self-signed certificates for 802.1x (EAP)
>> authentication. When you list root CAs from other organisations in
>> the "ca_file", you permit them to masquerade as you, to authenticate
>> your users, and to issue client certificates for EAP-TLS.
>>
>
> Yes, I am aware of it, and I set `ca_file` variable to point my
> self-generated/self-signed CA certificate.
> I am asking about `certificate_file` and `private_key_file` variables
> which represent radius server, and documentation says not to use
> global know CA only for `ca_file` variable.
I have not tried using a certificate_file that is not trusted by the CA in ca_file, perhaps it doesn’t relate. The documentation seems to indicate that the ca_file is presented along with certificate_file, but, I am not certain, as that is in the radsec stuff not EAP.
However:
- If you use a 3rd party CA for ca_file, they can create fake users (and could be expensive unless you buy a certificate which can sign certificates..)
- If you use a 3rd party CA signed cert for certificate_file, they can create a certificate that impersonates your RADIUS server, and set up fake APs/whatever. This is the main concern.
--
Nathan Ward
More information about the Freeradius-Users
mailing list