[RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Sat Jun 21 07:54:58 CDT 2014
Hi,
> I've been searching around the list and the Internet trying to figure
> out how a wireless client can verify the hostname of the SSL cert
> provided by Radiator through the NAS as an SMTP or HTTP client would,
> but I can't seem to find anything insightful. I'm not concerned with how
> the client uses the SSL chain and its included CAs to verify the cert
> cryptographically.
>
> For one, the client doesn't have Internet to make a reverse lookup until
> they accept the cert.
correct. there is no reverse lookups etc.
the client is configured to trust a CA (and the RADIUS cert is signed by that CA - either directly
or with intermediates that the client either knows or is passed through to
it via the 802.1X certificate phase) and the client is configured to trust a CN
that CN is given to the RADIUS certificate.
ie client configured to trust a CA and given the CN of a certificate it should
trust. the RADIUS server presents a certificate signed by that trusted CA and
has a name that the client is configured to trust. you'll realise by now that you dont
want to use a public CA as many clients cannot be configured to trust a specific
CN and anyone could get a cert signed by eg verisign ;-)
alan
More information about the radiator
mailing list