Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Using InCommon certificates

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Using InCommon certificates


Chronological Thread 
  • From: Lukas Wringer <Lukas.Wringer AT rz.uni-augsburg.de>
  • To: cat-users AT lists.geant.org
  • Cc: bepstein AT ias.edu
  • Subject: Re: [[cat-users]] Using InCommon certificates
  • Date: Fri, 14 Feb 2020 16:19:44 +0100
  • Organization: Universitaet Augsburg

Hi,

this issue is the reason we use CAT, because it is the only way we
found to set one singular CA together with a subject_match (or
altsubject_match) entry, even on Android.

So not only has the server to authenticate with a matching certificate
by one allowed CA, its hostname/subject also has to match.

So your "public" CA has to issue a certifiacte matching your
Hostname/Domain for someone else for that being a problem. Which would
be an absolute desaster for a CA => see Symantec...

If you have the ressources to manage an own PKI and fear a Symantec
like scenario you can still go this one step further though...


Am Freitag, den 14.02.2020, 06:06 -0500 schrieb Brian Epstein:
> Take a look at this article:
> https://depthsecurity.com/blog/when-802-1x-peap-eap-ttls-is-worse-than-no-wireless-security
> "802.1x supplicants are often configured to trust public CAs from
> which an attacker can obtain a fake certificate."
> Further down:
> "Install a certificate signed by an internal CA that is trusted by
> all wireless users on the RADIUS server.
> Avoid using RADIUS certificates signed by public CAs.
> Enforce validation of RADIUS certificates and manually select the
> internal CA to be trusted. Do this centrally, via tools like Active
> Directory Wireless Group Policies if possible. Ensure help-desk
> personnel and users are not capable of modifying this configuration
> since it has a way of becoming disabled when people are
> troubleshooting wireless issues."
> So basically, anyone who can create an InCommon cert could run a fake
> eduroam AP and harvest user passwords. And, they can do it anywhere,
> like an airport, or in a car on your campus.
> If you do an internal CA, and force the clients to verify it, your
> are safe. You also avoid having to use an intermediate, and can
> create a long term cert.
> We use Eduroam's Cat tool to deploy, it works well.
> All the best,ep
> On Feb 14, 2020 03:19, Stefan Winter <stefan.winter AT restena.lu>
> wrote:
>
>
> Hello,
>
>
> > We have a eduroam setup in test mode and am looking at using the
> > CAT
> > tool. My question revolves around the intermediate and root
> > certificates.
> >
> > My understanding is that the radius certs renewal won't affect the
> > end
> > users, as long as they are issued by the same intermediate/root
> > certs.
> > So I need to make sure the intermediates and roots don't expire any
> > time soon, right? If they do, users would have to download a new
> > version with the new certificates, right?
>
> That's almost entirely correct.
>
>
> The root needs to stay the same.
>
>
> The intermediate can change, but some extra caution has to be applied
> in
> that case: the EAP server needs to send the new intermediate along
> with
> its server cert as a partial chain then, because clients do not
> possess
> the intermediate locally.
>
>
> It is usually considered good practice to always send the
> intermediate
> anyway, so it's not a big deal. Just something to be and remain aware
> of.
>
>
> Greetings,
>
>
> Stefan Winter
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
> et de la Recherche
> 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
>
> To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subje
> ct=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
--
Lukas Wringer

Universität Augsburg
Rechenzentrum
Beratungs- und Servicezentrum "ZEBRA"
86135 Augsburg

Besucheradresse und Servicezeiten:
Universitätsstraße 8
Gebäude L2, Raum 2034
Montag bis Donnerstag von 9.00 bis 14.30 Uhr
Freitag von 9.00 bis 12.00 Uhr

Telefon 0821/598-2020
Telefax 0821/598-2010
Lukas.Wringer AT rz.uni-augsburg.de
https://www.rz.uni-augsburg.de/zebra

Attachment: signature.asc
Description: This is a digitally signed message part




Archive powered by MHonArc 2.6.19.

Top of Page