Hi,
That road is painful. What we've come up so far with is supplying
pre-configured supplicants (SecureW2) that bring the proper CA certificate
along and set the expected CN automatically. It can even be preconfigured to
auto-discard any other certificates, which doesn't give the user any
This is definitely more elegant than my suggestion but I found that many
FreeRADIUS admins get confused by the
CA_file
CA_path
options. They think that they need to place the CA chain from *their
FreeRADIUS servers SSL certificate* in the file/directory specified in above
options. But by doing
Reimer Karlsen-Masur, DFN-CERT wrote:
This is definitely more elegant than my suggestion but I found that many
FreeRADIUS admins get confused by the
CA_file
CA_path
options. They think that they need to place the CA chain from *their
FreeRADIUS servers SSL certificate* in the
Alan DeKok wrote on 10.01.2008 11:26:
Reimer Karlsen-Masur, DFN-CERT wrote:
This is definitely more elegant than my suggestion but I found that many
FreeRADIUS admins get confused by the
CA_file
CA_path
options. They think that they need to place the CA chain from *their
FreeRADIUS
Reimer Karlsen-Masur, DFN-CERT wrote:
Whereas IMO the SSL cert of the RADIUS server should be issued by a CA which
has its root CA certificate preinstalled in the standard certificate stores...
No. You are saying that the supplicant should trust those root CA's
for ALL authentication.
Hi,
RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That
means that no one else can successfully convince the users to send them
the passwords.
seconded/thirded. as UK eduroam support I agree that such a closed-loop
system provides a better protection. though more config
[EMAIL PROTECTED] wrote on 10.01.2008 14:53:
Hi,
RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That
means that no one else can successfully convince the users to send them
the passwords.
seconded/thirded. as UK eduroam support I agree that such a closed-loop
Hi,
If the supplicant is not configured that strictly, at the end of the day it
does not matter if you rolled your own self-signed RADIUS server cert or
you have a cert with its root CA pre-installed.
Actually, It's not quite the same: if the user at least managed to enable to
CA checking,
Reimer Karlsen-Masur, DFN-CERT wrote:
Actually we were talking about server side config.
Yes. The server has been updated simplify configurations without
EAP-TLS, and to document the issues involved in certificates.
Looking at the supplicant, the user strongly should enter a fully qualified
Stefan Winter wrote on 10.01.2008 15:51:
Hi,
If the supplicant is not configured that strictly, at the end of the day it
does not matter if you rolled your own self-signed RADIUS server cert or
you have a cert with its root CA pre-installed.
Actually, It's not quite the same: if the user
Hi,
Oh, it exists. It's called subject_match within a network { } stanza of
wpa_supplicant, and all the Windows supplicants I've seen so far allow you
set your expectations on the server name. It's turned off by default though.
agreed. it is there.
however, this puts the security on the
however, this puts the security on the client end...and they'll still
get a connection with the proper server even if they've ommitted
all the checks. this is bad generally - you need to have a way
of the server checking that these client settings are enforced.
oh well. I guess thats what
Alan,
I tried with the configuration you had given below, but it does not work
out. Still radius server is accepting TLS method.
Thanks,
Nikitha
On 1/9/08, Alan DeKok [EMAIL PROTECTED] wrote:
nikitha george wrote:
Hi,
I want to enable only TTLS authentication and if the client is
nikitha george wrote:
Alan,
I tried with the configuration you had given below, but it does not
work out. Still radius server is accepting TLS method.
And debug mode says ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stefan Winter wrote:
For the built-in supplicant in XP/Vista: it generally sucks. There is the
new Wireless Native API that is supposed to allow scripted auto-setups of
802.1X settings for an SSID, but we haven't tested if that's really
practical. If you can find a student to code on that
Hi,
nikitha george wrote on 09.01.2008 10:04:
Hi,
I want to enable only TTLS authentication and if the client is
requesting any other types EAP-TLS or PEAP the authentication should be
denied.
within the eap section you must configure the tls and the ttls section.
Delete the peap section.
I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in
/etc/radddb/users
DEFAULTEAP-Type == EAP-TLS, Auth-Type := Reject
It works, I think Alan gave me this hint 1 year ago, maybe it could be
put in the FAQ
since it is an interesting
Riccardo Veraldi wrote:
I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in
/etc/radddb/users
DEFAULTEAP-Type == EAP-TLS, Auth-Type := Reject
It works, I think Alan gave me this hint 1 year ago, maybe it could be
put in the FAQ
Hi,
Hi,
I want to enable only TTLS authentication and if the client is requesting
any other types EAP-TLS or PEAP the authentication should be denied.
I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
server itself is not starting up.
Please let me know if there are any
Yes this is much better, but anyway I had disabled PEAP in eap.conf.
thanks
Rick
Arran Cudbard-Bell ha scritto:
Riccardo Veraldi wrote:
I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin
in /etc/radddb/users
DEFAULTEAP-Type ==
nikitha george wrote:
Hi,
I want to enable only TTLS authentication and if the client is
requesting any other types EAP-TLS or PEAP the authentication should be
denied.
I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
server itself is not starting up.
Please let me
21 matches
Mail list logo