On 01/11/2011 01:58 PM, Rianto Wahyudi wrote: Hello,
> I did not choose or select any trusted root certification authorities / > anchor as I originally tought that windows is smart enough to do it > automatically. It probably could choose it automatically, but I think it will not for security reasons. In other words, this should be considered a feature. It it automatically accepts a certificate that has a known root CA and valid CA certificate chain, this leaves the client vulnerable to attackers with a valid certificate from any valid root CA. For example many eduroam sites advice the users to choose these from Windows PEAP settings: - Validate server certificate - Connect to these servers (eduroam.latrobe.edu.au in your case) - Choose the correct CA cert from the list of "Trusted Root Certificate Authorities" - Check "Do not prompt user to authorize new servers ..." When these are set, the client will only build TLS tunnel to your server. > If I select thawte Primary Root CA as trusted anchor the connection seems to > be working. Sounds correct. I also took a look at the certificate you send, and the CA path seems to be correct. Your cert was signed by "Issuer: C=US, O=Thawte, Inc., CN=Thawte SSL CA" > The other problem is that not all client have that specific thawte > certificate installed on their PC. I think that thawte certificate is very common. It should be installed in most systems. > Do you think I should change certificate provider ? If so do you guys have > any recommendation of which SSL provider I should use ? I think your certificate provider should be common enough so that changing would not be that useful. I can not name a provider that would be better. There are many I would say are equally common, but I can not name any that is considereably more common than the one you have. > In windows 7, do you have to select a trusted root certification authorities > or will it just work automatically if I use well known provider ? I do not remeber how windows 7 behaves if you have not chosen the CA. It will probably at least show the certificate and prompt it should be accepted. Please consider that choosing the CA and naming the radius server can be thought as a feature and should be done to make sure your client does not end up sending its credentials to unknown, possibly hostile, servers. It's a bit of work, but it need to be done only once per client. > Regards, > Rianto Best regards, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
