TTLS+PAP with Windows
michael at stroeder.com
Wed Mar 15 19:26:30 CET 2017
Herwin Weststrate wrote:
> On 15-03-17 11:00, Herman Øie Kolden wrote:
>> On Wed, Mar 15, 2017 at 09:53:39AM +0100, Bjørn Mork wrote:
>>> In general, you should use self-signed certificates for 802.1x (EAP)
>>> authentication. When you list root CAs from other organizations in the
>>> "CA_file", you permit them to masquerade as you,
>> Why is this a concern for EAP, but not for regular web certificates?
> Web certificates have a check to see if the dns name matches the
> certificate. You can do a hostname check with some radius supplicants,
> but 90% of the people don't use it.
Especially since AFAIK a TLS name-based server identity check like defined in RFC 6125
for various other protocols is not yet clearly defined for RADIUS with EAP.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
More information about the Freeradius-Users