TTLS+PAP with Windows
Michael Ströder
michael at stroeder.com
Wed Mar 15 19:26:30 CET 2017
Herwin Weststrate wrote:
> On 15-03-17 11:00, Herman Øie Kolden wrote:
>> On Wed, Mar 15, 2017 at 09:53:39AM +0100, Bjørn Mork wrote:
>>
>>> In general, you should use self-signed certificates for 802.1x (EAP)
>>> authentication. When you list root CAs from other organizations in the
>>> "CA_file", you permit them to masquerade as you,
>>
>> Why is this a concern for EAP, but not for regular web certificates?
>
> Web certificates have a check to see if the dns name matches the
> certificate. You can do a hostname check with some radius supplicants,
> but 90% of the people don't use it.
Especially since AFAIK a TLS name-based server identity check like defined in RFC 6125
for various other protocols is not yet clearly defined for RADIUS with EAP.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170315/dc1e04c8/attachment.bin>
More information about the Freeradius-Users
mailing list