[RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP

[Michael Rodrigues]

Hi,

I've been searching around the list and the Internet trying to figure 
out how a wireless client can verify the hostname of the SSL cert 
provided by Radiator through the NAS as an SMTP or HTTP client would, 
but I can't seem to find anything insightful. I'm not concerned with how 
the client uses the SSL chain and its included CAs to verify the cert 
cryptographically.

For one, the client doesn't have Internet to make a reverse lookup until 
they accept the cert.

Second, even if they were allowed DNS before authentication, someone 
controlling the network could easily catch and spoof the reverse lookup 
reply to make their cert look legitimate (assuming it was 
cryptographically legitimate).

I'm doing some development/testing and I notice that iOS and Windows 8 
seem to see my certificate as valid but not "verified". I setup a PTR 
record to match my host and cert name but it didn't seem to make any 
difference. I monitored tcpdump while authenticating from OS X and I see 
no PTR requests

  I realize each client can have a different implementation. Is it even 
possible to legitimately verify a certificate hostname for clients using 
PEAP and EAP? I'd like to be as secure as possible without resorting to 
client-side certificates.

Thanks,
Michael

-- 
Michael Rodrigues
Technical Support Services Manager
Gevirtz Graduate School of Education
Education Building 4203
(805) 893-8031
help at education.ucsb.edu