TTLS+PAP with Windows
Herwin Weststrate
herwin at quarantainenet.nl
Wed Mar 15 11:07:15 CET 2017
On 15-03-17 11:00, Herman Øie Kolden wrote:
> On Wed, Mar 15, 2017 at 09:53:39AM +0100, Bjørn Mork wrote:
>
>> In general, you should use self-signed certificates for 802.1x (EAP)
>> authentication. When you list root CAs from other organizations in the
>> "CA_file", you permit them to masquerade as you,
>
> Why is this a concern for EAP, but not for regular web certificates?
Web certificates have a check to see if the dns name matches the
certificate. You can do a hostname check with some radius supplicants,
but 90% of the people don't use it. This means there is only one check
remaining: is this certificate valid according to some certificate
authority on this device. This means I can order a certificate for
foo.com and use that on a rogue access point inside company Bar.
--
Herwin Weststrate
More information about the Freeradius-Users
mailing list