After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
stefan.winter at restena.lu
Thu Dec 21 12:33:03 CET 2017
do you realise that such a setup will let EVERYBODY into your network?
Including all the bad guys? Or do the phones have an additional (strong)
Am 21.12.2017 um 11:50 schrieb Gladewitz, Robert:
> i can not export an new ca infrastructure on one time, because it will be have to many phone clients, there lost the connection!.
> My Idea is, that we ignore all client certificates (server certificate sending will be ok) for the time we published the new certificates on all cisco clients.
> At the moment, i configures Auth-Type = eap8021xciscophone in my database and eap8021xciscophone is configured as ttls including this wrong ca infrastructure.
> So, on which part I can send the accept to the switch, without check the client certificate and ca?? The autorize prozess is correctly done.
> -----Ursprüngliche Nachricht-----
> Von: Stefan Winter [mailto:stefan.winter at restena.lu]
> Gesendet: Donnerstag, 21. Dezember 2017 11:08
> An: Gladewitz, Robert <Robert.Gladewitz at dbfz.de>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
>> is there a possible way, to ignore all certificates in ttls and send an accept??
> paraphrased, you ask "Is there a way to throw overboard all security, and to make my users susceptible to MITM attacks?"
> Surprisingly, the answer is "Yes, that's the default behaviour." A non-configured supplicant will typically accept all certificates thrown at it, at best with a UI question like "Do you think that cert is okay?"
> That's a client-side problem though - FreeRADIUS always needs to *send* a server certificate.
> Stefan Winter
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
> Tel: +352 424409 1
> Fax: +352 422473
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Freeradius-Users