> No. You are saying that the supplicant should trust those root CA's > for ALL authentication. > > i.e. you have a certificate for "example.com", signed by Verisign. > The supplicant is configured to trust the verisign-signed certificates, > because that's what you have. > > Now *anyone* who is issued a certificate from verisign can > authenticate your users. If your users are using EAP-TTLS with PAP > authentication, you've just convinced them to send their clear-text > password to some random person on the Internet. > > RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That > means that no one else can successfully convince the users to send them > the passwords.
I definitely second that. We keep telling our eduroam participants that well-known CAs are not only no plus, but instead MAY introduce insecurity (properly configured supplicants also check the CN in the certificate, which makes the risk go away; still, if a user forgets that, recognised CAs introduce a threat while self-signed ones don't). Either self-signed certs or at least dedicated CAs for the specific purpose of RADIUS Auth are the best practice. Some people which are in possession of a cert-store-present (read: browser-recognised) CA think it solves all problems whatsoever. They have a hard time laerning that it can actually be a hindrance, but it is a lesson everyone who is really concerned about security should learn at some point. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html