Hi, > But I don't plan on distributing client certificates for authentication. I > intend for them to login with a username and password checked against my > Radius server, so I'm not sure what role the certificate plays in that > process?
the certificate is for the RADIUS server - this will let your clients know that they really are establishing a RADIUS authentication for a server they can verify. ie myCA signs the RADIUS server, the client then has the myCA cert installed and is configured to check the RADIUS server eg radius.my.org and validate that against the server. in this case, you will need the myCA CA cert installed on the client. why do this? so that you can verify and validate the RADIUS server - if you dont, then a man-in-the-middle attack could be accomplished and then you'll be sending usernames and passwords to that 3rd party server. very nice for Mr Cracker. why use your own CA? well, in the case of EAP-TLS, this gives extra security... but even in the case of EAP-TTLS or EAP-PEAP - if the RADIUS server is signed by eg Verisign, then ANYONE can get a verisign certificate with some cash.... eg radius.fake.org and then they can attempt a man-in-middle.... okay, if the client is secured properly, then it wont talk to radius.fake.org because its been asked to validate the RADIUS server....but if it hasnt been configured properly, then the client will happily talk to radius.fae.org - because it has the Verisign CA installed and will validate that all is okay. how often is this a worry? I'm afraid, after looking at man sites 'how to configure your client' , the 'validate cert' stage is often overlooked, ignored...or even worse...people are told NOT TO (probably because the site havent got their RADIUS configured correctly, cant handle the SSL stuff properly or have chosen the self-sign CA and havent got around to ways of deploying that client :-( ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html