EAP SSL Cert "Not Trusted"

Trevor Jennings Trevor at simple101.com
Thu Jun 15 21:53:19 CEST 2017


Thank you for that explanation. That has helped a lot to understand the
difference between the EAP and HTTPS certificate process and why private
signed is better than the public signed CA.

Cheers,

  - Trevor

On Thu, Jun 15, 2017 at 2:14 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Jun 15, 2017, at 1:42 PM, Trevor Jennings <Trevor at simple101.com> wrote:
> > We've had EAP functioning well for the past 7-8 years and when the cert
> > comes up to renew, I've been asked why do we need to keep trusting the
> > certificate, so I am trying to find answers.
>
>   You need to keep trusting the cert, because if you don't trust it, you
> shouldn't use it for anything.
>
> >>  Do not use public CA certs for WiFi authentication.  It's insecure.
> >>
> > So you are suggesting we should be using self signed certs instead of a
> > public CA?
>
>   It's generally safer.  For many reasons outlined earlier.
>
>   Most end-user systems now do "server cert pinning".  This means that
> they keep a copy of the server cert on first successful authentication.
> They then refuse to connect if the server cert changes.
>
>   It's not part of the specs, but it's arguably better than nothing.
>
> >>  And no, the Apple devices do NOT already trust the Thawte cert for WiFi
> >> authentication.  They trust the Thawte cert for web surfing, which is
> >> entirely different.
> >>
> > This is what I do not understand. The root certificate is the same for
> both
> > and is sent as part of the EAP process along with the server
> certificate. I
> > know this sounds like a stupid question but how are these both different?
>
>   EAP is different from HTTPS.
>
>   That's the short answer.
>
>   The longer answer is that EAP has a very different use-case than HTTPS.
> For HTTPS, you want to ensure that the web site you're connecting to is
> "known".  i.e. trusted by the CA.  But you are NOT giving it your
> password.  You're downloading their web site.
>
>   For EAP, you're not downloading data.  You're handing the server your
> password.  So you want to be sure that you're handing the password to the
> *correct* server.  i.e. as server you know.  Not a random server which is
> trusted by the CA.
>
>   Do you "trust" both gmail and Microsoft enough to download web pages
> from them?  Likely yes.
>
>  Would you hand your gmail account passwords to Microsoft?  Likely not.
>
>   That's the difference.
>
>   Alan DeKok.
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list