The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Patrick Oberli <patrick.oberli AT ost.ch>]

Hi Martin

Thanks for your elaborate answer.
Currently my eduroam setup is the classic WPA2-Enterprise with PEAP MSCHAPv2 
username+password variant. So far I've always used the exactly same 
certificate on all radius servers, but our CA is giving us a hard time 
offering the same certificate for multiple servers. 

But I didn't realize that the client doesn't actually validate the content of 
the certificate (the server names provided) besides checking if it's always 
the same one and maybe from a trusted CA. That makes things considerably 
easier :) 
Please correct me if I misunderstood your answer.

Thanks,
Patrick


Freundliche Grüsse

ICT - IT-Infrastructure
Netzwerk- und Multimediateam
Patrick Oberli

Tel direkt: +41 58 257 4958
Email: patrick.oberli AT ost.ch

OST - Ostschweizer Fachhochschule
ICT Information & Communication Technology | Oberseestrasse 10 | 8640 
Rapperswil | Switzerland | https://www.ost.ch 

OST - Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil, 
FHS St.Gallen und NTB Buchs.

-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> 
On Behalf Of Martin Pauly
Sent: Freitag, 13. August 2021 16:08
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] eduroam and certificates

Hello Patrick,

Am 13.08.21 um 15:29 schrieb Patrick Oberli:
> Our CA really doesn't like to provide one certificate with multiple 
> hostnames, destined for several radius servers.
You are talking about RADIUS servers doing 802.1X/802.11i, i.e. some sort of 
TLS authentication on layer 2, right?
The "opposite" would be radsecproxy which is entirely different in these 
details.

If you just want to provide two or more RADIUS servers (for redundancy) which 
serve exactly the same purpose, you can simply use the same cert for all of 
them.

Please read
https://wiki.geant.org/pages/viewpage.action?pageId=121346259
Section EAP Server certificate considerations Consideration 2: Recommended 
certificate properties

The technical reason is: With a layer 2 logon process (i.e. TLS over EAPoL), 
there is no DNS resolving step involved that would give the client an 
implicit clue which servername (CN/SAN) to check in the server cert. Rather, 
you pre-configure the (fixed) servername in your clients (Android calls this 
string "Domain" in the UI).
Along with the root cert which was used to sign the server cert, the identity 
check becomes unique and "waterproof".

> Or does the operating system only check the domain and root CA (I 
> think android does that) if it's the same today? So various 
> certificates with the same domain from the same CA would not cause a 
> certificate accept pop-up?
Exactly. And all clients should follow the same procedure here.
Android is only different in that many Android implementations easily use "Do 
not validate" as their default setting which makes the client vulnerable to 
the infamous "Evil Twin" attack.
Most other OSes pop up the cert warning instead, implementing TOFU.

Cheers, Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
   D-35032 Marburg
To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users