On Sat, Jan 13, 2018 at 06:07:39PM +0700, Victor Sudakov wrote: > Eitan Adler wrote: > > On 13 January 2018 at 01:55, Victor Sudakov <v...@mpeks.tomsk.su> wrote: > > > > > > > > > Are there any network experts willing to look at the dump of RADIUS > > > traffic at http://noc.sibptus.ru/~sudakov/radius.pcap ? > > > > > > >From wireshark: PEAP / EAP-MD5-CHALLENGE > > Eitan, do you mean it's EAP-MD5 encapsulated in PEAP (TLS tunnel)? > > Why is the client not checking the server's certificate authenticity > and how do I make the client check it against a CA (if I need to)? Dear Виктор,
Android client doesn't care for server certificate authenticity, so you don't have to install CA certificate, which was probably automatically generated by radius and written to file: /usr/local/etc/raddb/certs/ca.der Windows and Mac clients do care for it, so the CA cert should be installed as a Trusted Root Certificate Authority for these clients. If you want to have 0 problems with Windows clients, I recommend building simple captive portal based on PF redirection and simple login page. The page could be written as a CGI script in Perl or PHP. I also recommend incorporating net-mgmt/pftabled to manage the PF table directly from this portal without any risk of privilege escalation. Bear also in mind, that all initial client request should be redirected by HTTP server with "Status: 302 Moved" response, otherwise the portal will not be properly discovered by clients, as it was pointed before. -- Marek Zarychta
signature.asc
Description: PGP signature
