TTLS+PAP with Windows

Alan DeKok aland at
Wed Mar 15 14:22:44 CET 2017

On Mar 15, 2017, at 6:13 AM, Bjørn Mork <bjorn at> wrote:
> I would say it is a concern for web cerificates as well. You cannot
> trust them any more than you can trust the long list of public CAs. But
> that's another discussion :)

  Pretty much.  Was have been known to give out certificates to the wrong people, and to give out certificates for domains with misleading names.

> At least you have a name you can match up against the DN or SNI for a
> web server.  How can the end user verify your RADIUS server certificate?
> Answer: By verifying the issuer.  The DN and SNI are irrelevant, since
> the user will not know what they are supposed to be (unless you pin the
> certificate, in which case it could just as well be self signed).

  The CA is also pre-provisioned on the users machine.

> If the issuer gives cerificates to anyone, like a public CA will do,
> then anyone can impersonate your RADIUS server,


  Alan DeKok.

More information about the Freeradius-Users mailing list