[RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP

Heikki Vatiainen hvn at open.com.au
Thu Jun 19 14:46:26 CDT 2014 

On 06/19/2014 01:48 AM, Michael Rodrigues wrote:

> I've been searching around the list and the Internet trying to figure 
> out how a wireless client can verify the hostname of the SSL cert 
> provided by Radiator through the NAS as an SMTP or HTTP client would, 
> but I can't seem to find anything insightful. I'm not concerned with how 
> the client uses the SSL chain and its included CAs to verify the cert 
> cryptographically.

Since your organisation is an educational organisation, you may want to
check the eduroam documentation for these issues. For example:
https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations

A tool such as eduroam CAT helps with these issues.

> For one, the client doesn't have Internet to make a reverse lookup until 
> they accept the cert.

Yes, and even if it could do a reverse lookup, what would the answer be
useful for? I understand the problem you are thinking about and the doc
referenced above talks more about this.

> Second, even if they were allowed DNS before authentication, someone 
> controlling the network could easily catch and spoof the reverse lookup 
> reply to make their cert look legitimate (assuming it was 
> cryptographically legitimate).

Yes, but as you noticed, there's no connectivity before the certificates
are used. And I'd say it is not possible because of how 802.1X works.

> I'm doing some development/testing and I notice that iOS and Windows 8 
> seem to see my certificate as valid but not "verified". I setup a PTR 
> record to match my host and cert name but it didn't seem to make any 
> difference. I monitored tcpdump while authenticating from OS X and I see 
> no PTR requests

I'm not surprised. There's really no useful answer that can be expected
even if DSN queries were made. A usual case is that the client initially
has no IP address and EAPOL is used directly over the LAN. So there's no
IP connectivity to make DNS queries and no peer IP address to verify
with a DNS PTR lookup.

>   I realize each client can have a different implementation. Is it even 
> possible to legitimately verify a certificate hostname for clients using 
> PEAP and EAP? I'd like to be as secure as possible without resorting to 
> client-side certificates.

See eduroam CAT and the docs eduroam folks have created. I think they
would be very useful to you especially if you are considering adding
eduroam connectivity.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list