TTLS+PAP with Windows

Michael Ströder michael at stroeder.com
Wed Mar 15 19:26:30 CET 2017


Herwin Weststrate wrote:
> On 15-03-17 11:00, Herman Øie Kolden wrote:
>> On Wed, Mar 15, 2017 at 09:53:39AM +0100, Bjørn Mork wrote:
>>
>>> In general, you should use self-signed certificates for 802.1x (EAP)
>>> authentication. When you list root CAs from other organizations in the
>>> "CA_file", you permit them to masquerade as you, 
>>
>> Why is this a concern for EAP, but not for regular web certificates?
> 
> Web certificates have a check to see if the dns name matches the
> certificate. You can do a hostname check with some radius supplicants,
> but 90% of the people don't use it.

Especially since AFAIK a TLS name-based server identity check like defined in RFC 6125
for various other protocols is not yet clearly defined for RADIUS with EAP.

Ciao, Michael.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170315/dc1e04c8/attachment.bin>


More information about the Freeradius-Users mailing list