Help for buy a real Cert (not self-signed)
Brian Candler
b.candler at pobox.com
Mon Jan 30 16:52:23 CET 2017
On 30/01/2017 11:51, Spider s wrote:
> And now my questions, first I have got running my freeradius installation
> 3.10 on ubuntu) with AD Auth, but with limitations, because I need install
> my self-signed cert on all device for connect to wifi.
>
> I don’t want this (I don’t want install the certs), and I need buy a real
> cert for a real CA, I know ,but I never buy one for this.
I've been down this path, and I'm afraid you'll find it's a dead end.
The problem is that some clients (specifically Android and Linux) have
no way to bind a particular SSID to a particular certificate
*identity*. They will accept any certificate signed by the selected CA.
What it means is, you are forced to create a throw-away CA purely for
RADIUS use. Even if you run your own existing private CA, you can't use
it: that's because anyone who has a certificate from your CA would be
able to set up a rogue access point and intercept everyone else's traffic.
Windows, OSX and (I think) iOS don't have this problem. You can create
profiles for them which only accept a certificate with a given identity
or identifies (say, "wireless.yourdomain.com"). You can then get this
cert from a public CA - even for free from Letsencrypt. If the access
point presents a certificate with a different identity, the client will
refuse to connect.
But your Android and Linux users will be totally insecure. If you
configured them to accept (say) the Letsencrypt CA, they will accept
*any* certificate from the Letsencrypt CA, and happily send both their
credentials and all their network traffic via the rogue access point.
This IMO is a major flaw in wpa_supplicant, but that's just how it is.
In any case, it's very important that you don't let your clients simply
connect to your access point and click through all the prompts - they
must install a pre-configured profile. If they don't, they will most
likely have an insecure setup. EAP-PEAP is highly insecure by default.
There *is* a way to do strong mutual password authentication without
certificates: it's called EAP-pwd. It's supported by FreeRADIUS, Linux
and Android. But unfortunately it's not implemented in Windows or OSX :-(
Regards,
Brian.
More information about the Freeradius-Users
mailing list