iOS mysterious issues on Freeradius 3.0.14
Matthew Newton
mcn4 at leicester.ac.uk
Thu Mar 23 11:50:43 CET 2017
On Thu, Mar 23, 2017 at 09:29:54AM +0000, Peter Hutchison wrote:
> With PEAP you should *always* use Publicly recognised TLS/SSL
> certificates, preferably with a well-known CA source or one that
> your University supports.
That's certainly not the recommended practise that's ever
normally given here.
All RADIUS certificates should be based on private CA
infrastructure where possible for the best security.
> Also it should be at least 2048 bits and uses the SHA256 hash
> algorithm, SHA1 should be phased out.
This is better advice.
> For example, we use JISC service which uses Quo Vadis CA. Do not
> use self-signed or internal CA certificates.
No. Use an internal CA with installers (such as eduroam CAT)
to push the config and root CA to the devices.
You might find a public CA the right balance between convenience
and security for yourselves, and many people do, but it's not
the correct advice for a secure network.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list