John Dennis wrote: > On 08/03/2010 01:30 PM, Alan DeKok wrote: >> Using a known root CA for RADIUS authentication isn't really >> recommended. > > Why? > > P.S. just to clarify, it's not "using a known root CA for > RADIUS authentication", rather it's using a server cert signed by a > known root CA.
Sure. It's because *anyone* can set up an AP, and a RADIUS server that your PC will accept. If the AP has the same SSID as (say) your work, it will happily send your work username && login via EAP to the rogue AP. The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN "[email protected]" should be sent logins for "[email protected]", but NEVER sent logins for "[email protected]" You should ONLY send your login credentials when you *know* who it is on the other end of the EAP conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
