(RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted: problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and Radiator 3.9
Terry Simons
galimore at mac.com
Tue Jul 20 13:05:21 CDT 2004
That would require making every student aware of every server on our
campus, which is extremely decentralized... This is really not an
option for us. (We have a large number of servers which is still
growing rapidly).
I can see though, how that could help with a setup where very few
servers are used.
Also, the ability to specify specific servers is something that I have
seen with PEAP, but not with other clients (we don't use PEAP), though
it might be an interesting feature request. Most of the clients out
there let you specify a single server name, or a domain (such as
.utah.edu).
I think it really depends on how any given organization is set up.
- Terry
Christian Wiedmann wrote:
> Perhaps an easier solution than having your own CA is simply to limit
> the
> hostnames that you will allow through. Make sure the "Connect to these
> servers" field in the EAP Properties dialog specifies the CN in the
> certificate, and you won't be able to use a different Verisign
> certificate.
>
> Note that I'm using Radiator, PEAP, and a Verisign certificate using
> this
> setup on Windows XP without any trouble.
>
> -Christian
>
> On Fri, 16 Jul 2004, Terry Simons wrote:
>
>
>> Hi Scott, Mike, Hugh. ;-)
>>
>> A better solution that purchasing a certificate might be to run your
>> own CA and create your own certificates. In fact, this is a much
>> better and more secure solution than even using somebody like
>> Verisign.
>>
>> If you were running a verisign CA signed server certificate for
>> 802.1X authentication, I could also request a verisign server
>> certificate, and hand it to your user to pull off a Man in the Middle
>> attack. Because your client is going to verify Verisign (because
>> that's what your certificate was signed against), they will also
>> allow my server certificate (which was also signed by verisign).
>> This is a bad idea in general, and should probably be avoided.
>>
>>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list