Help for buy a real Cert (not self-signed)

Stefan Winter stefan.winter at
Thu Feb 2 09:08:34 CET 2017


>> The problem is if you ever let Linux or Android users near your network, they will only connect in an insecure way, at least with EAP-PEAP/MSCHAP.
> Linux can be properly configured.  Well, depending on the UI used.  Android may get there in a few years, but hid the necessary tools from the user and ignored the bug report asking for it for a decade, then closed it unresolved.

Since Android 4.3 the API allows one to pin all security parameters
including server name. We make use of that in eduroam with the eduroam
CAT app and config files which bring all the needed security settings.
It is limited to one root CA though.

Since Android 7.0 the API allows multiple trusted root CAs which helps
with cert rollover scenarios.

Since Android 7.1 the UI exposes the server name field as well (but
calling it "Domain" of all things). Manual configuration in a secure way
is now possible but still incredibly clumsy compared to .mobileconfig
files on iOS for example. That's why we keep our eduroam CAT Android app
around :-)

But then, who has 7.1 anyway :-)

>> I did wonder about making FreeRADIUS keep track of the client MAC addresses it's seen. The first time it sees a new MAC address, it *intentionally* returns a bad certificate, and if authentication completes successfully, it puts the user into a different VLAN so they can be isolated.  However if the client aborts the authentication exchange a couple of times, the server marks the MAC address as good and then starts using the correct certificate, and returns the correct VLAN.
>> It would be an interesting project, but I don't have time to implement it :-)
> I did play with that a bit... not the first-time-seen part but just randomly sending out a bad cert.  It confused clients horribly.
> I'd think you'd want to serve the correct certificate first, so Apples pin it, then after a successful auth or two test them for
> compliance.

Trouble is that you are fooling around with your users in first use. If
things go sideways on first try (and you make sure it does) then with an
impatient user there is no second try, and you lose the customer.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list