(RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted: problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and Radiator 3.9

Tue Jul 20 15:34:23 CDT 2004

Hi Christian,

Sorry... I mis-spoke.  ;-)

The multiple-server name thing can only work if you are using one of 
the MS built-in EAP-types.  (Which we are not doing...)  Anyone using 
SecureW2, or Meetinghouse's AEGIS client (Maybe Funk?) can't verify 
against multiple server names, as far as I know.

- Terry

On Jul 20, 2004, at 2:29 PM, Christian Wiedmann wrote:

> Actually, since the usage of certificates in PEAP is a little quirky,
> there need be no real relation between the CN in the certificate and
> the actual server.  You could use the same certificate with an 
> artificial
> CN (e.g. "wireless.domain.edu") for all the servers.  Obviously there 
> are
> some security issues with duplicating this certificate to so many 
> servers,
> but given that the EAP methods don't generally have the ability to do 
> CRL
> checking, I don't think it's a big difference.  Even if you have 
> different
> certs for the different servers, you wouldn't be able to revoke one if 
> it
> became compromised.
>
> As to the client side - Microsoft's built-in client will do the 
> hostname
> validation whether you're doing EAP-TLS or PEAP.  As I mentioned above,
> I actually think you can also work with just one hostname in the other
> clients you mention.
>
> 	-Christian
>
> On Tue, 20 Jul 2004, Terry Simons wrote:
>
>>
>> That would require making every student aware of every server on our
>> campus, which is extremely decentralized... This is really not an
>> option for us.  (We have a large number of servers which is still
>> growing rapidly).
>>
>> I can see though, how that could help with a setup where very few
>> servers are used.
>>
>> Also, the ability to specify specific servers is something that I have
>> seen with PEAP, but not with other clients (we don't use PEAP), though
>> it might be an interesting feature request.  Most of the clients out
>> there let you specify a single server name, or a domain (such as
>> .utah.edu).
>>
>> I think it really depends on how any given organization is set up.
>>
>> - Terry
>>
>> Christian Wiedmann wrote:
>>
>>> Perhaps an easier solution than having your own CA is simply to limit
>>> the
>>> hostnames that you will allow through.  Make sure the "Connect to 
>>> these
>>> servers" field in the EAP Properties dialog specifies the CN in the
>>> certificate, and you won't be able to use a different Verisign
>>> certificate.
>>>
>>> Note that I'm using Radiator, PEAP, and a Verisign certificate using
>>> this
>>> setup on Windows XP without any trouble.
>>>
>>> 	-Christian
>>>
>>> On Fri, 16 Jul 2004, Terry Simons wrote:
>>>
>>>
>>>> Hi Scott, Mike, Hugh.  ;-)
>>>>
>>>> A better solution that purchasing a certificate might be to run your
>>>> own CA and create your own certificates.  In fact, this is a much
>>>> better and more secure solution than even using somebody like
>>>> Verisign.
>>>>
>>>> If you were running a verisign CA signed server certificate for
>>>> 802.1X authentication, I could also request a verisign server
>>>> certificate, and hand it to your user to pull off a Man in the 
>>>> Middle
>>>> attack.  Because your client is going to verify Verisign (because
>>>> that's what your certificate was signed against), they will also
>>>> allow my server certificate (which was also signed by verisign).
>>>> This is a bad idea in general, and should probably be avoided.
>>>>
>>>>
>>
>>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.