[RADIATOR] Password/certificate security seems next to none on Radiator server
Nadav Hod
nadav.hod at comm-it.co.il
Fri Oct 2 01:12:24 CDT 2015
Regarding only private keys being sensitive:
For EAP-TLS I only need the Cisco CA and a server certificate with a private key. The cisco CA had no trust relation with my domain which created the server certificate and private key for the server. So there was no shared CA between supplicant and authentication server.
In this case the private key wasn't necessary to authenticate the phones. ACS, Cisco's AAA server, also doesn't require the CAPF private key but rather the CAPF public key to authenticate phones.
________________________________________
From: Sami Keski-Kasari [samikk at open.com.au]
Sent: Thursday, October 01, 2015 10:49 PM
To: Nadav Hod; radiator at open.com.au
Subject: Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
Hello Nadav,
On 10/01/2015 08:52 PM, Nadav Hod wrote:
> And keep in mind that not just private keys need to be kept secure.
> To authenticate phones with EAP-TLS I needed the Cisco call manager's
> CA to be stored locally on Radiator. The certificate was self-signed
and not
> exportable without a cisco admin account. If anyone else were to have
access
> to that certificate they could impersonate my server. Same goes for
any other
> supplicant with a CA which isn't made public.
In public key cryptography only private key is needed to be kept secure.
For example certificate is a public key that you can give to anyone in
order to verify you.
CA is signing certificates with it's private key and CA certificate is
used to validate certificates CA has signed.
So it is not possible to impersonate your server with CA certificate.
CA's private key is needed to do that.
Best Regards,
Sami
--
Sami Keski-Kasari <samikk at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list