I'm actually just shooting off at the mouth here, since I don't know exactly how MS choose to implement their RADIUS server. Despite that, crypto and PKI in general are a sure bet to get me to fire off a half considered comment or three,
Any app can go off and grab the CRL from the signing authority, but the method of retrieval could be a problem. There have been lots of reports to suggest that the CRL "checking" in browsers and also the CA support for same has been plagued with problems. Personally, I trust it about as far as I can throw it. This is why I've always recommended insourced CAs for large-scale VPN deployments that require Certificates. That way you can have in-house control of your users' certs and there is much less gap-time between revocation and actual lock-out from the user side. OCSP looks to be "better", and certainly addresses several sever technical limitations with the CRL model, but it stil doesn't appear to be widespread enough. Actually, I should just come clean - I don't really trust the whole CA model very much. The technology is good, but there are a whole bunch of real world factors that introduce risks that often get overlooked when the glossy brochure from SooperIdentiCorp hits the boardroom table. So, overall, I would suggest that in theory both the client and the server can verify the certificate by checking the signature (almost all apps have a built-in copy of the root certs for the major CAs) and they can, in theory, check the CRL from the signing root. In real life, I trust the signature checking (although there are still problems even so) but I completely mistrust the validity checking. The major browsers, for example, both claim to support CRL checking. I assume that any authentication server that supports digital certs would support (in theory) CRL checking or OCSP. I'm not as confident that all VPN clients do so. I would imagine that they would check the server cert's _signature_ - that just makes sense. I would not be at all surprised to discover, though, that many vendors have chosen to dispense with the current validity checking in favour of speed. In general, my stance remains that "normal" PKI is reasonably broken for this kind of thing. It sort of works for online TLS connections (modulo broken browsers) but it's an absolute can of worms for VPN/RA scenarios. That's a discussion that needs more space. Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Madhur Nanda > Sent: Monday, April 29, 2002 9:46 AM > To: [EMAIL PROTECTED] > Subject: Microsoft EAP ( L2TP/Ipsec) > > > Hi, > > I m trying to explore EAP authentication support provided in > Microsoft RADIUS server. I need to know how does it work, > mainly how certificates are verified. Is it only the server > that checks the user certificate against CRL ( revocation > list) or the client side also tries to verify the server certificate. > I m also exploring L2TP/IPSec with EAP and here also I m not > sure how client verifies the server certificate against CRL > automatically. Because a checkmark exist in dial up > configuration where in we can specify "Verify Server > certificate". Does it mean that it only verifies validity > period of the server certificate or also check it aginst CRL > by retrieving the CRL from the location specified in the > server certificate. > How does the whole process works... > any pointers are welcome > > TIA > rgds > Madhur _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
