[RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Sat Jun 21 07:54:58 CDT 2014


> I've been searching around the list and the Internet trying to figure 
> out how a wireless client can verify the hostname of the SSL cert 
> provided by Radiator through the NAS as an SMTP or HTTP client would, 
> but I can't seem to find anything insightful. I'm not concerned with how 
> the client uses the SSL chain and its included CAs to verify the cert 
> cryptographically.
> For one, the client doesn't have Internet to make a reverse lookup until 
> they accept the cert.

correct. there is no reverse lookups etc.

the client is configured to trust a CA (and the RADIUS cert is signed by that CA - either directly
or with intermediates that the client either knows or is passed through to
it via the 802.1X certificate phase) and the client is configured to trust a CN

that CN is given to the RADIUS certificate. 

ie client configured to trust a CA and given the CN of a certificate it should
trust. the RADIUS server presents a certificate signed by that trusted CA and
has a name that the client is configured to trust.  you'll realise by now that you dont
want to use a public CA as many clients cannot be configured to trust a specific
CN and anyone could get a cert signed by eg verisign  ;-)


More information about the radiator mailing list