On Mon, 1 Aug 2005, [EMAIL PROTECTED] wrote:
I am running FreeRadius 1.0.4 and using XP supplicants. My problem
is after authenticating against FreeRadius, XP asks me to OK
the server certificate.
I do not want to manually validate the server certificate. XP should be able
to validte the certificate by itself, as long as the cert has been issued by
a valid Certificate Authority. I have tried using certs from DigiCert and
Verisign.
Hi,
In an 802.1x context, it is best to use certs from a self-signed CA,
rather than a well-known CA (such as Verisign).
This is because an attacker could dupe your users' supplicants by
acquiring a certificate from the same CA that you trust (ie. Verisign),
and install a rogue WAP near your premises to steal inner-tunnel
credentials.
There is a solution, and this is to get the supplicant to verify certain
attributes within the server cert. However, I am aware of only one
supplicant that can do this: Funk's Odyssey. FWIW, even Funk recommend
using a self-signed CA.
Evidentally, you'll need to distribute the CA's root certificate to your
users.
josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
