TTLS+PAP with Windows
Alan DeKok
aland at deployingradius.com
Wed Mar 15 14:22:44 CET 2017
On Mar 15, 2017, at 6:13 AM, Bjørn Mork <bjorn at mork.no> wrote:
>
> I would say it is a concern for web cerificates as well. You cannot
> trust them any more than you can trust the long list of public CAs. But
> that's another discussion :)
Pretty much. Was have been known to give out certificates to the wrong people, and to give out certificates for domains with misleading names.
> At least you have a name you can match up against the DN or SNI for a
> web server. How can the end user verify your RADIUS server certificate?
> Answer: By verifying the issuer. The DN and SNI are irrelevant, since
> the user will not know what they are supposed to be (unless you pin the
> certificate, in which case it could just as well be self signed).
The CA is also pre-provisioned on the users machine.
> If the issuer gives cerificates to anyone, like a public CA will do,
> then anyone can impersonate your RADIUS server,
Exactly.
Alan DeKok.
More information about the Freeradius-Users
mailing list