AW: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
Robert.Gladewitz at dbfz.de
Thu Dec 21 11:50:45 CET 2017
i can not export an new ca infrastructure on one time, because it will be have to many phone clients, there lost the connection!.
My Idea is, that we ignore all client certificates (server certificate sending will be ok) for the time we published the new certificates on all cisco clients.
At the moment, i configures Auth-Type = eap8021xciscophone in my database and eap8021xciscophone is configured as ttls including this wrong ca infrastructure.
So, on which part I can send the accept to the switch, without check the client certificate and ca?? The autorize prozess is correctly done.
Von: Stefan Winter [mailto:stefan.winter at restena.lu]
Gesendet: Donnerstag, 21. Dezember 2017 11:08
An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
> is there a possible way, to ignore all certificates in ttls and send an accept??
paraphrased, you ask "Is there a way to throw overboard all security, and to make my users susceptible to MITM attacks?"
Surprisingly, the answer is "Yes, that's the default behaviour." A non-configured supplicant will typically accept all certificates thrown at it, at best with a UI question like "Do you think that cert is okay?"
That's a client-side problem though - FreeRADIUS always needs to *send* a server certificate.
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6245 bytes
Desc: not available
More information about the Freeradius-Users