XP supplicant and Secure Cerficate acceptance

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

XP supplicant and Secure Cerficate acceptance

John C. Koen
I am running FreeRadius 1.0.4 and using XP supplicants.  My problem
is after authenticating against FreeRadius, XP asks me to OK
the server certificate.

I do not want to manually validate the server certificate.  XP should be able
to validte the certificate by itself, as long as the cert has been issued by
a valid Certificate Authority.  I have tried using certs from DigiCert and
Verisign.

Does anyone else see this same problem?  How can this step be automated so that
my users are not requried this additional click?

--johnk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP supplicant and Secure Cerficate acceptance

Josh Howlett
On Mon, 1 Aug 2005, [hidden email] wrote:

> I am running FreeRadius 1.0.4 and using XP supplicants.  My problem
> is after authenticating against FreeRadius, XP asks me to OK
> the server certificate.
>
> I do not want to manually validate the server certificate.  XP should be able
> to validte the certificate by itself, as long as the cert has been issued by
> a valid Certificate Authority.  I have tried using certs from DigiCert and
> Verisign.

Hi,

In an 802.1x context, it is best to use certs from a self-signed CA,
rather than a well-known CA (such as Verisign).

This is because an attacker could dupe your users' supplicants by
acquiring a certificate from the same CA that you trust (ie. Verisign),
and install a rogue WAP near your premises to steal inner-tunnel
credentials.

There is a solution, and this is to get the supplicant to verify certain
attributes within the server cert. However, I am aware of only one
supplicant that can do this: Funk's Odyssey. FWIW, even Funk recommend
using a self-signed CA.

Evidentally, you'll need to distribute the CA's root certificate to your
users.

josh.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP supplicant and Secure Cerficate acceptance

Zoltan Ori
In reply to this post by John C. Koen
On Monday 01 August 2005 16:37, [hidden email] wrote:

> I am running FreeRadius 1.0.4 and using XP supplicants.  My problem
> is after authenticating against FreeRadius, XP asks me to OK
> the server certificate.
>
> I do not want to manually validate the server certificate.  XP should be
> able to validte the certificate by itself, as long as the cert has been
> issued by a valid Certificate Authority.  I have tried using certs from
> DigiCert and Verisign.
>
> Does anyone else see this same problem?  How can this step be automated so
> that my users are not requried this additional click?
>

On the XP machines you can either uncheck the "Validate server certificate" in
the EAP properties (not recommended) or you can specify the trusted root
certificate that you are using (check the box in the list) and the RADIUS
server names.

The validation is not a big deal and you only have to do it once unless you
are wiping the eapinfo from the registry on shutdown.

Zoltan Ori

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP supplicant and Secure Cerficate acceptance

David Mitton
In reply to this post by John C. Koen
I think your terminology is incorrect.

I know for a fact that Funk's software will not accept a self-signed cert.
That is a certificate not signed by another CA.

What I think you meant, was a having your own private trusted CA root.
Where the server and client certs are signed by it.
And, yes, in that configuration you have to install the cert for that CA on the clients, if you want them to verify the server cert.

If you can provide me a pointer to the Funk documentation that recommends what you suggest, I would appreciate it.

Dave.

----- Original Message -----
From: "Josh Howlett" <[hidden email]>
To: "FreeRadius users mailing list" <[hidden email]>
Subject: Re: XP supplicant and Secure Cerficate acceptance
Date: Mon, 1 Aug 2005 21:53:16 +0100 (BST)

>
> On Mon, 1 Aug 2005, [hidden email] wrote:
>
> > I am running FreeRadius 1.0.4 and using XP supplicants.  My problem
> > is after authenticating against FreeRadius, XP asks me to OK
> > the server certificate.
> >
> > I do not want to manually validate the server certificate.  XP should be able
> > to validte the certificate by itself, as long as the cert has been issued by
> > a valid Certificate Authority.  I have tried using certs from DigiCert and
> > Verisign.
>
> Hi,
>
> In an 802.1x context, it is best to use certs from a self-signed CA, rather
> than a well-known CA (such as Verisign).
>
> This is because an attacker could dupe your users' supplicants by acquiring a
> certificate from the same CA that you trust (ie. Verisign), and install a
> rogue WAP near your premises to steal inner-tunnel credentials.
>
> There is a solution, and this is to get the supplicant to verify certain
> attributes within the server cert. However, I am aware of only one supplicant
> that can do this: Funk's Odyssey. FWIW, even Funk recommend using a
> self-signed CA.
>
> Evidentally, you'll need to distribute the CA's root certificate to your users.
>
> josh.
>
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP supplicant and Secure Cerficate acceptance

Josh Howlett
On Mon, 1 Aug 2005, David Mitton wrote:

> I think your terminology is incorrect.

Yes. It's late :-)

> I know for a fact that Funk's software will not accept a self-signed cert.
> That is a certificate not signed by another CA.
>
> What I think you meant, was a having your own private trusted CA root.
> Where the server and client certs are signed by it. And, yes, in that
> configuration you have to install the cert for that CA on the clients,
> if you want them to verify the server cert.

That's correct.

josh.

> If you can provide me a pointer to the Funk documentation that
> recommends what you suggest, I would appreciate it.
>
> Dave.
>
> ----- Original Message -----
> From: "Josh Howlett" <[hidden email]>
> To: "FreeRadius users mailing list" <[hidden email]>
> Subject: Re: XP supplicant and Secure Cerficate acceptance
> Date: Mon, 1 Aug 2005 21:53:16 +0100 (BST)
>
>>
>> On Mon, 1 Aug 2005, [hidden email] wrote:
>>
>>> I am running FreeRadius 1.0.4 and using XP supplicants.  My problem
>>> is after authenticating against FreeRadius, XP asks me to OK
>>> the server certificate.
>>>
>>> I do not want to manually validate the server certificate.  XP should be able
>>> to validte the certificate by itself, as long as the cert has been issued by
>>> a valid Certificate Authority.  I have tried using certs from DigiCert and
>>> Verisign.
>>
>> Hi,
>>
>> In an 802.1x context, it is best to use certs from a self-signed CA, rather
>> than a well-known CA (such as Verisign).
>>
>> This is because an attacker could dupe your users' supplicants by acquiring a
>> certificate from the same CA that you trust (ie. Verisign), and install a
>> rogue WAP near your premises to steal inner-tunnel credentials.
>>
>> There is a solution, and this is to get the supplicant to verify certain
>> attributes within the server cert. However, I am aware of only one supplicant
>> that can do this: Funk's Odyssey. FWIW, even Funk recommend using a
>> self-signed CA.
>>
>> Evidentally, you'll need to distribute the CA's root certificate to your users.
>>
>> josh.
>>
>>
>> - List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

------------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [hidden email]
------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html