(RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted: problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and Radiator 3.9

Terry Simons galimore at mac.com
Tue Jul 20 13:05:21 CDT 2004 

That would require making every student aware of every server on our 
campus, which is extremely decentralized... This is really not an 
option for us.  (We have a large number of servers which is still 
growing rapidly).

I can see though, how that could help with a setup where very few 
servers are used.

Also, the ability to specify specific servers is something that I have 
seen with PEAP, but not with other clients (we don't use PEAP), though 
it might be an interesting feature request.  Most of the clients out 
there let you specify a single server name, or a domain (such as 
.utah.edu).

I think it really depends on how any given organization is set up.

- Terry

Christian Wiedmann wrote:

> Perhaps an easier solution than having your own CA is simply to limit 
> the
> hostnames that you will allow through.  Make sure the "Connect to these
> servers" field in the EAP Properties dialog specifies the CN in the
> certificate, and you won't be able to use a different Verisign 
> certificate.
>
> Note that I'm using Radiator, PEAP, and a Verisign certificate using 
> this
> setup on Windows XP without any trouble.
>
> 	-Christian
>
> On Fri, 16 Jul 2004, Terry Simons wrote:
>
>
>> Hi Scott, Mike, Hugh.  ;-)
>>
>> A better solution that purchasing a certificate might be to run your 
>> own CA and create your own certificates.  In fact, this is a much 
>> better and more secure solution than even using somebody like 
>> Verisign.
>>
>> If you were running a verisign CA signed server certificate for 
>> 802.1X authentication, I could also request a verisign server 
>> certificate, and hand it to your user to pull off a Man in the Middle 
>> attack.  Because your client is going to verify Verisign (because 
>> that's what your certificate was signed against), they will also 
>> allow my server certificate (which was also signed by verisign).  
>> This is a bad idea in general, and should probably be avoided.
>>
>>


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list