cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Jan-Frederik Rieckers <rieckers AT dfn.de>
- To: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] eduroam and certificates
- Date: Sat, 14 Aug 2021 16:07:17 +0200
Hello Patrick,
On 13.08.21 16:17, Patrick Oberli wrote:
> Hi Martin
>
> Thanks for your elaborate answer.
> Currently my eduroam setup is the classic WPA2-Enterprise with PEAP
> MSCHAPv2 username+password variant. So far I've always used the exactly
> same certificate on all radius servers, but our CA is giving us a hard time
> offering the same certificate for multiple servers.
I don't really know what the problem of the CA is.
(I am not that familiar with current CA policies, but it seems like a
perfectly valid use case to me)
One possible solution would be to issue Certificates with different CNs,
but a shared SubjectAltName (SAN).
E.g. with
Cert 1)
CN=radius1.example.com and
SAN=DNS.1:radius1.example.com,DNS.2:radius.example.com
Cert 2)
CN=radius2.example.com and
SAN=DNS.1:radius2.example.com,DNS.2:radius.example.com
> But I didn't realize that the client doesn't actually validate the content
> of the certificate (the server names provided) besides checking if it's
> always the same one and maybe from a trusted CA. That makes things
> considerably easier :)
> Please correct me if I misunderstood your answer.
If the clients are properly configured, they do check against the CN or
SubjectAltName of the certificate. This definitely should happen, to
ensure that only the certificates of the own radius server are trusted.
In the example above, the check could be configured to radius.example.com
I don't know how different OSes treat lists of valid hostnames. At least
for Windows I know that several host names can be entered, in this case
the check could be configured to radius1.example.com,radius2.example.com
Disabling the certificate name check would enable any person with a
valid certificate of this specific CA to launch an evil twin attack.
If the CA used is a public one, it could be even a web server
certificate, which can be obtained easily.
Greetings,
Janfred
--
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1, D - 10178 Berlin
Tel.: 030 884299-0 (DFN-GS Berlin: Sekretariat)
Fax: 030 88 42 99 370
http://www.dfn.de
Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt |
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729NZ | USt.-ID. DE 1366/23822
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [[cat-users]] eduroam and certificates, Patrick Oberli, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Lukas Wringer, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Alan Buxey, 08/13/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Jan-Frederik Rieckers, 08/14/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/17/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/17/2021
- Re: [[cat-users]] eduroam and certificates, Vlad Mencl, 08/18/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/18/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/18/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/17/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/17/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
- Re: [[cat-users]] eduroam and certificates, Jan-Frederik Rieckers, 08/14/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
Archive powered by MHonArc 2.6.19.