Hi, I've been searching around the list and the Internet trying to figure out how a wireless client can verify the hostname of the SSL cert provided by Radiator through the NAS as an SMTP or HTTP client would, but I can't seem to find anything insightful. I'm not concerned with how the client uses the SSL chain and its included CAs to verify the cert cryptographically.
For one, the client doesn't have Internet to make a reverse lookup until they accept the cert. Second, even if they were allowed DNS before authentication, someone controlling the network could easily catch and spoof the reverse lookup reply to make their cert look legitimate (assuming it was cryptographically legitimate). I'm doing some development/testing and I notice that iOS and Windows 8 seem to see my certificate as valid but not "verified". I setup a PTR record to match my host and cert name but it didn't seem to make any difference. I monitored tcpdump while authenticating from OS X and I see no PTR requests I realize each client can have a different implementation. Is it even possible to legitimately verify a certificate hostname for clients using PEAP and EAP? I'd like to be as secure as possible without resorting to client-side certificates. Thanks, Michael -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
