Re: EAP + SSL + Certificate chains
Hey I wanted to say thanks for the tips! I convinced the peers that it was not a good idea to allow auto certificate acceptance and to just have the clients accept it when the new certificate went online. Cheers, - Trevor On Thu, Sep 12, 2013 at 3:46 PM, Brian Julin wrote: > > Mathieu wrote: > > At least from that side there is hope for improvements with Android 4.3 > > onwards there > > are API calls for enterprise wireless configuration. > > > > Maybe "someone" steps up by making an application that can manage > > profiles or something like this. > > That is promising, but I hope this does not become a case of > "Oh, there's an app for that basic system function" versus it being in the > core UI. Because nobody will have it pre-installed. > > -- > Brian > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP + SSL + Certificate chains
> Mathieu wrote: > At least from that side there is hope for improvements with Android 4.3 > onwards there > are API calls for enterprise wireless configuration. > > Maybe "someone" steps up by making an application that can manage > profiles or something like this. That is promising, but I hope this does not become a case of "Oh, there's an app for that basic system function" versus it being in the core UI. Because nobody will have it pre-installed. -- Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP + SSL + Certificate chains
> Trevor Jennings wrote: > We are using freeradius with EAP/SSL and although it is working fine, I was > wondering if there was a way to prevent the user from getting the prompt to > accept the certificate? I have combined the intermediate and server > certificates to one file and used that file in the 'certificate_file' config > in > eap.conf. > > On OSX, the certificates are marked as valid, including the root, intermediate > and server, but still prompts the user to accept. Is there a way around this? About the only way I can think of is to install a profile (.mobileconfig) which pre-approves the use of that certificate authority. Reason being, if you just accept any old certificate authority any compromised certificate will work, and on newer OSX/iOS the only way to check the certificate subject for the name of your RADIUS server. which is a better option for patching the hole, is to install a profile, anyway. So really, this means without prompting the user, any stolen key for any unrevoked certificate from any CA in that entire list, worldwide, could be used to launch a MITM attack and steal passwords or other data. This is not a particularly difficult object to get your hands on. (Incidentally this is why many environments do not like having Android devices on their wireless LANs since they don't have any such native options accessible from the UI or even a decent way to distribute profiles. Heck they don't even fake it by making the first certificate they see sticky. The first time warez to perform an MITM on WPA2-Enterprise is packaged in a way that any old script kiddie can use, there will be pain.) -- Brian Julin Network Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + SSL + Certificate chains
2013/9/12 Brian Julin > > > Trevor Jennings wrote: > > [...] > > > On OSX, the certificates are marked as valid, including the root, > intermediate > > and server, but still prompts the user to accept. Is there a way around > this? > > About the only way I can think of is to install a profile (.mobileconfig) > which > pre-approves the use of that certificate authority. If you want to make things all nice and green-looking for your end-users seek for mobileconfig signing. TERENA has a good example how to do this for eduroam: https://confluence.terena.org/display/tcs/Sign+Apple+mobileconfig+files Reason being, if you just > accept any old certificate authority any compromised certificate will > work, and > on newer OSX/iOS the only way to check the certificate subject for the name > of your RADIUS server. And as you mention OS X, yes the same .mobileconfig for iOS will work for OS X 10.7 onwards, which was a quite nice thing in my environment to know. > [...] > (Incidentally this is why many environments do not like having Android > devices > on their wireless LANs since they don't have any such native options > accessible > from the UI or even a decent way to distribute profiles. At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe "someone" steps up by making an application that can manage profiles or something like this. Heck they don't even fake it by making the first certificate they see > sticky. Worse... ;-) It's up to the user to install the CA certificate on its own - even if that is a public CA in the Android, they can't select them otherwise (!) . At least then authentication stops if you put up a server certificate not signed by that specified CA. The only open source provisioning tool for Android (that I believe didn't get much traction) SU1X for Android, made by Swansea University for eduroam. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP + SSL + Certificate chains
Hello, We are using freeradius with EAP/SSL and although it is working fine, I was wondering if there was a way to prevent the user from getting the prompt to accept the certificate? I have combined the intermediate and server certificates to one file and used that file in the 'certificate_file' config in eap.conf. On OSX, the certificates are marked as valid, including the root, intermediate and server, but still prompts the user to accept. Is there a way around this? Cheers, - Trevor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html