Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... Yes. That is a problem. But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. That would work. I just hope I'm not telling complete bullshit... ;-) Nope. Thank you Alan for your time to answer! It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on certificates before deep dive into EAP-TLS
G'day As a (hopefully) answer-able question to those experienced with EAP-TLS that I've been twisting my brain: Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR. Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client? (Taken from Debian's FR 2.1.12) eap.conf: tls { [...] certificate_file = /etc/freeradius/ssl/cert.p # Trusted Root CA list CA_file = /etc/univention/ssl/ucsCA/CAcert.pem [...] The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department). Best regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR. Yes. Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client? Yes. It contains a list of valid CAs. The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department). That works. The client will need *both* CAs. But why be this complicated? Just use one CA, which is for both EAP-TLS and PEAP. It can issue client certs to some machines, and *not* issue client certs to others. You don't need one CA per EAP method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Hi Am 11.04.2013 20:08, schrieb Alan DeKok: snip! The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. Correct, that for sure isn't what I'd want :-) certificate_file - the server-side certificate - would contain the certificate (and it's trust chain) by the trusted CA. CA_file would only contain the internal CA, such as that only those signed by the one internal CA IT has control over it, would be accepted by FR. (oh and I'd want to have a regularly up-to-date revocation list...) snip! You don't need one CA per EAP method. Sure, I am only looking for the server-side certificate (certificate_file) being signed by a CA that most devices trust - since most of the users are going to use PEAP-MSCHAPv2 with devices not under direct controll of IT. Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. I just hope I'm not telling complete bullshit... ;-) Thank you Alan for your time to answer! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question at certificates
Hi, I'm a little bit confused, I configure radius with self signed cert, peap+mschap, so if I tried to connect with an android or apple device I get the question if I want to accept the server cert, thats ok, but with windows or linux I get the error that there is no cert, but it still works, why these clients don't download the cert? I can manually add them sure but why is that so different? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question at certificates
Andreas Rudat wrote: I'm a little bit confused, I configure radius with self signed cert, peap+mschap, so if I tried to connect with an android or apple device I get the question if I want to accept the server cert, thats ok, but with windows or linux I get the error that there is no cert, but it still works, why these clients don't download the cert? I can manually add them sure but why is that so different? That's how they work. Ask Microsoft why they designed their system that way. We have no idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html