> Trevor Jennings wrote: > We are using freeradius with EAP/SSL and although it is working fine, I was > wondering if there was a way to prevent the user from getting the prompt to > accept the certificate? I have combined the intermediate and server > certificates to one file and used that file in the 'certificate_file' config > in > eap.conf. > > On OSX, the certificates are marked as valid, including the root, intermediate > and server, but still prompts the user to accept. Is there a way around this?
About the only way I can think of is to install a profile (.mobileconfig) which pre-approves the use of that certificate authority. Reason being, if you just accept any old certificate authority any compromised certificate will work, and on newer OSX/iOS the only way to check the certificate subject for the name of your RADIUS server. which is a better option for patching the hole, is to install a profile, anyway. So really, this means without prompting the user, any stolen key for any unrevoked certificate from any CA in that entire list, worldwide, could be used to launch a MITM attack and steal passwords or other data. This is not a particularly difficult object to get your hands on. (Incidentally this is why many environments do not like having Android devices on their wireless LANs since they don't have any such native options accessible from the UI or even a decent way to distribute profiles. Heck they don't even fake it by making the first certificate they see sticky. The first time warez to perform an MITM on WPA2-Enterprise is packaged in a way that any old script kiddie can use, there will be pain.) -- Brian Julin Network Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
