[EMAIL PROTECTED] wrote on 10.01.2008 14:53: > Hi, > >> RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That >> means that no one else can successfully convince the users to send them >> the passwords. > > seconded/thirded. as UK eduroam support I agree that such a closed-loop > system provides a better protection. though more config and deployment pains, > certainly ;-)
Actually we were talking about server side config. Looking at the supplicant, the user strongly should enter a fully qualified name of the radius server he is expecting his authN is checked against and he strongly should make sure that his supplicant is checking hard that this FQDN matches the CN of the RADIUS server cert. Usually there is some checkbox/option to enable that behavior. If the supplicant is not configured that strictly, at the end of the day it does not matter if you rolled your own self-signed RADIUS server cert or you have a cert with its root CA pre-installed. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
smime.p7s
Description: S/MIME Cryptographic Signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
