[RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP
Hartmaier Alexander
alexander.hartmaier at t-systems.at
Fri Jun 20 03:22:33 CDT 2014
On 2014-06-19 00:48, Michael Rodrigues wrote:
> Hi,
>
> I've been searching around the list and the Internet trying to figure
> out how a wireless client can verify the hostname of the SSL cert
> provided by Radiator through the NAS as an SMTP or HTTP client would,
> but I can't seem to find anything insightful. I'm not concerned with how
> the client uses the SSL chain and its included CAs to verify the cert
> cryptographically.
>
> For one, the client doesn't have Internet to make a reverse lookup until
> they accept the cert.
>
> Second, even if they were allowed DNS before authentication, someone
> controlling the network could easily catch and spoof the reverse lookup
> reply to make their cert look legitimate (assuming it was
> cryptographically legitimate).
>
> I'm doing some development/testing and I notice that iOS and Windows 8
> seem to see my certificate as valid but not "verified". I setup a PTR
> record to match my host and cert name but it didn't seem to make any
> difference. I monitored tcpdump while authenticating from OS X and I see
> no PTR requests
>
> I realize each client can have a different implementation. Is it even
> possible to legitimately verify a certificate hostname for clients using
> PEAP and EAP? I'd like to be as secure as possible without resorting to
> client-side certificates.
Security is achieved by configuring a CA cert which you trust, from
which the radius server cert is signed.
In some clients (Windows >= Vista is one of them) you can additionally
configure the subject of the certificate to trust.
Lifetime is checked as well, revocation isn't for the clients I know.
>
> Thanks,
> Michael
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
More information about the radiator
mailing list