iOS mysterious issues on Freeradius 3.0.14

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Mar 23 12:16:53 CET 2017


Hi,

> With PEAP you should *always* use Publicly recognised TLS/SSL certificates, preferably with a well-known CA source or one that your University supports. Also it should be at least 2048 bits and uses the SHA256 hash algorithm, SHA1 should be phased out. For example, we use JISC service which uses Quo Vadis CA. Do not use self-signed or internal CA certificates.


wrong. best practice, security wise for EAP 802.1X within the enterprise,, is to use a local CA, do NOT use a public CA.

your clients will trust the CA because you use a deployment ool, MDM solution etc to ensure that CA is
on your clients - only YOUR clients need to trust the CA of your RADIUS server, if offering a roaming service
eg eduroam, visitors never see the CA of your server - the authentication is proxied back to the home site...which
they, in turn, are configured to only trust.

using a public CA is insecure (for various reasons, first is that many clients can only trust a CA, not a particular server
and ANYONE can get a server cert from a public CA...it doesnt have to match the name/realm of your target, just be from same
CA)  - you are also bound by the public CA timings/requirement s- 2 or 3 years for the server, expires when they decide, not when its good for
you - and also, add into the mix, if the CA gets compromised, the OS vendors will blacklist/revoke it (eg those 2 Dutch CAs a few years back) - 
lets hope you arent using those or none of your clients now have network access :/

alan


More information about the Freeradius-Users mailing list