Apple has confirmed that it is a cert validation delay... and they do respond... eventually - setting the dealy to 30 - at least allow the Macs to eventually get online - vs getting stuck in the auth state and requiring user intervention.
I don't think it should impact security holes... technically inside the eap transaction its and SSL exchange when the cert is being used - at least for PEAP and TTLS.... but then yes... this shouldn't allow someone to steal this cert/key and use to create trusted websites - since the browser is using its on cert store/trust mechanism - i beleive these system trusts are only for logins On Thu, Sep 26, 2013 at 1:43 PM, Julian Y Koh <[email protected]>wrote: > On Sep 26, 2013, at 15:39 , Travis Schick <[email protected]> > wrote: > > > > I have found that this delay will go away if the cert used for WPA2 auth > is updated to also always trust for SSL. > > That seems suboptimal. Not just because you need to get your clients to > change configs, but I wonder how that affects overall trust and if it opens > you up to other holes. For example, does changing that setting on the > client mean that you won't be able to revoke that certificate? What if > your certificate and key get stolen and then used to set up a malicious > site somewhere? > > Someone else can do that testing. :) > > Another vendor is recommending that a timeout value for EAP responses be > raised from its default 5 second value to 30 seconds, since the Macs are > eventually responding - it just takes a long time in some cases. > > > -- > Julian Y. Koh > Acting Associate Director, Telecommunications and Network Services > Northwestern University Information Technology (NUIT) > > 2001 Sheridan Road #G-166 > Evanston, IL 60208 > 847-467-5780 > NUIT Web Site: <http://www.it.northwestern.edu/> > PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
