On 20/8/20 1:01 am, Smith, Todd wrote: > If I come onto your institution then I would have to accept your > certificate chain to be granted access. Why should I trust your chain > over a major CA provider? Obviously, you have the control and authority > to insist on whatever access conditions that you find acceptable, but in > my case I don’t and I use third-party certs since they are acceptable by > practically every device.
The risk is not about the initial trust, the risk is that with a public CA, an attacker can obtain a certificate signed by the same CA, and spoof your SSID and obtain PEAP credentials with their validly-signed RADIUS server. Since most clients won't be configured with the specific RADIUS server names and will trust any server signed by the same CA, they will connect to this spoofed SSID without prompting the user. And then, given the way PEAP works, they'll have a password-equivalent secret for the user. If you have a private CA for your RADIUS servers, nobody else can obtain a certificate signed by it (well unless they hack your servers). This is a marginal but not insignificant risk to poorly configured clients. I definitely agree that vendors (both client and wifi infrastructure) should make EAP-TLS easier to deploy. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community