(RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted: problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and Radiator 3.9

[Christian Wiedmann]

Perhaps an easier solution than having your own CA is simply to limit the
hostnames that you will allow through.  Make sure the "Connect to these
servers" field in the EAP Properties dialog specifies the CN in the
certificate, and you won't be able to use a different Verisign certificate.

Note that I'm using Radiator, PEAP, and a Verisign certificate using this
setup on Windows XP without any trouble.

	-Christian

On Fri, 16 Jul 2004, Terry Simons wrote:

> 
> Hi Scott, Mike, Hugh.  ;-)
> 
> A better solution that purchasing a certificate might be to run your 
> own CA and create your own certificates.  In fact, this is a much 
> better and more secure solution than even using somebody like Verisign.
> 
> If you were running a verisign CA signed server certificate for 802.1X 
> authentication, I could also request a verisign server certificate, and 
> hand it to your user to pull off a Man in the Middle attack.  Because 
> your client is going to verify Verisign (because that's what your 
> certificate was signed against), they will also allow my server 
> certificate (which was also signed by verisign).  This is a bad idea in 
> general, and should probably be avoided.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.