TTLS+PAP with Windows

cedric delaunay cedric.delaunay at
Thu Mar 16 09:12:54 CET 2017

Le 15/03/2017 à 14:31, Alan DeKok a écrit :
> On Mar 15, 2017, at 6:00 AM, Herman Øie Kolden <herman at> wrote:
>> On Wed, Mar 15, 2017 at 09:53:39AM +0100, Bjørn Mork wrote:
>>> In general, you should use self-signed certificates for 802.1x (EAP)
>>> authentication. When you list root CAs from other organizations in the
>>> "CA_file", you permit them to masquerade as you,
>> Why is this a concern for EAP, but not for regular web certificates?
>    Because you don't own  So you don't care (so much) if someone else masquerades as  In fact, you have *no idea* who "" really is.  All you know is that there's a certificate from a CA, which says that this site is really "".
>    For most web browsing, that's good enough.  The CA is pre-provisioned on your machine, which means you trust the CA, and then trust them to say who google really is.
>    For EAP, you own the site, so you *do* care who else can masquerade as you.  By using a self-signed CA and provisioning it on the users machines, you're sure that no one else can pretend to be you.

I Alan,
I'm not really aware about these subjects so excuse my question if it's 
a newbie one
Reading this, what do you propose if we don't have any access to 
client's machine (students or autonomous users) ? I can't provision 
anything on them, just announce a valid server certificate.

>>> to authenticate your users, and to issue client
>>> certificates for EAP-TLS.
>> Agreed, but as we don't use client certificates in our organization,
>> this doesn't apply to us.
>    That's not how the protocols work.
>    If you allow EAP-TLS, you allow users to be authenticated with client certificates.  *ANY* client certificate which has a chain of trust going back to the root CA.
>    When you use a public CA, you let *anyone on the planet* issue client certificates which will be accepted as genuine by your RADIUS server.  Because that's how the certificate chain of trust works.
>    When you use a self-signed CA, the only person who can issue client certificates is you.  And if you don't issue client certificates, you know that there are none which have been issued.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

Cédric Delaunay			Direction des Systèmes d'Informations
Equipe Réseau & Telephonie	263, Avenue du Général Leclerc
Tel: 02 23 23 71 59		CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3610 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the Freeradius-Users mailing list