Double check of sanity with PEAP setup

Alan DeKok aland at
Fri Dec 13 13:32:09 CET 2019

On Dec 12, 2019, at 5:55 PM, Adam Taylor <ataylor at> wrote:
> We currently use PEAP to auth our wireless.  My question is about doing the certificates correctly on the new radius servers.  We currently use a Global CA cert in the TLS section but everywhere says not to in the config files.  I'm confused as to why for PEAP, as we have to have a CA signed cert for all the user devices to not throw a "could not verify cert" creating the TLS tunnel before EAP.  Clients installing a cert is a non-starter....there is no way with the amount of visitors.

  Clients have to do *something*.  Every client system defaults to not allowing any CA for EAP.  Including "known root" CAs which are allowed by default for web surfing.

  This is for security.  With EAP, you are sending your credentials to the other end.  Which means you need to know that it really is trusted.  And, it's the end you want to send credentials to.

  In contrast, with WWW, the other end is sending data to you.  Which means that if the site has the correct certificates, it *must* be the correct data.  And, you don't really care what that data is.

  So... you *still* have to have clients edit their configuration, in order to use a particular SSID with a particular root CA.

> So is a CA signed TLS cert correct for PEAP auth or am I not understanding something in the documentation?

  The documentation is largely left over from before client systems did certificate pinning.  What used to happen is that when the client trusted a root CA, they would then trust *any* server cert signed by that root CA.  Which meant that anyone could get a root CA, publish an SSID, and then start grabbing EAP credentials.

  Client systems now do certificate pinning.  When they first authenticate, they save a copy of the server certificate.  If that certificate changes, the clients either complain, or refuse to continue.

  The only way to avoid that was to trust a root CA which was under your control.  i.e. so you could be sure that no one else ever was issued a server cert.

> I just want to make sure I do this correctly and do not have some giant gaping security hole.

  You don't.  Clients have a gaping security hole because they will randomly trust / allow any root CA.  Which is why those should be preconfigured.

  There has been discussion in the IETF about addressing some of the remaining security issues with 802.1X / EAP.  Many of which are UI / usability issues.  But there is also significant resistance to fixing things, for reasons which are unclear to me.

  Alan DeKok.

More information about the Freeradius-Users mailing list