EAP SSL Cert "Not Trusted"

Alan DeKok aland at deployingradius.com
Thu Jun 15 20:14:50 CEST 2017 

On Jun 15, 2017, at 1:42 PM, Trevor Jennings <Trevor at simple101.com> wrote:
> We've had EAP functioning well for the past 7-8 years and when the cert
> comes up to renew, I've been asked why do we need to keep trusting the
> certificate, so I am trying to find answers.

  You need to keep trusting the cert, because if you don't trust it, you shouldn't use it for anything.

>>  Do not use public CA certs for WiFi authentication.  It's insecure.
>> 
> So you are suggesting we should be using self signed certs instead of a
> public CA?

  It's generally safer.  For many reasons outlined earlier.

  Most end-user systems now do "server cert pinning".  This means that they keep a copy of the server cert on first successful authentication.  They then refuse to connect if the server cert changes.

  It's not part of the specs, but it's arguably better than nothing.

>>  And no, the Apple devices do NOT already trust the Thawte cert for WiFi
>> authentication.  They trust the Thawte cert for web surfing, which is
>> entirely different.
>> 
> This is what I do not understand. The root certificate is the same for both
> and is sent as part of the EAP process along with the server certificate. I
> know this sounds like a stupid question but how are these both different?

  EAP is different from HTTPS.

  That's the short answer.

  The longer answer is that EAP has a very different use-case than HTTPS.  For HTTPS, you want to ensure that the web site you're connecting to is "known".  i.e. trusted by the CA.  But you are NOT giving it your password.  You're downloading their web site.

  For EAP, you're not downloading data.  You're handing the server your password.  So you want to be sure that you're handing the password to the *correct* server.  i.e. as server you know.  Not a random server which is trusted by the CA.

  Do you "trust" both gmail and Microsoft enough to download web pages from them?  Likely yes.

 Would you hand your gmail account passwords to Microsoft?  Likely not.

  That's the difference.

  Alan DeKok.

More information about the Freeradius-Users mailing list