On 06/19/2014 01:48 AM, Michael Rodrigues wrote: > I've been searching around the list and the Internet trying to figure > out how a wireless client can verify the hostname of the SSL cert > provided by Radiator through the NAS as an SMTP or HTTP client would, > but I can't seem to find anything insightful. I'm not concerned with how > the client uses the SSL chain and its included CAs to verify the cert > cryptographically.
Since your organisation is an educational organisation, you may want to check the eduroam documentation for these issues. For example: https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations A tool such as eduroam CAT helps with these issues. > For one, the client doesn't have Internet to make a reverse lookup until > they accept the cert. Yes, and even if it could do a reverse lookup, what would the answer be useful for? I understand the problem you are thinking about and the doc referenced above talks more about this. > Second, even if they were allowed DNS before authentication, someone > controlling the network could easily catch and spoof the reverse lookup > reply to make their cert look legitimate (assuming it was > cryptographically legitimate). Yes, but as you noticed, there's no connectivity before the certificates are used. And I'd say it is not possible because of how 802.1X works. > I'm doing some development/testing and I notice that iOS and Windows 8 > seem to see my certificate as valid but not "verified". I setup a PTR > record to match my host and cert name but it didn't seem to make any > difference. I monitored tcpdump while authenticating from OS X and I see > no PTR requests I'm not surprised. There's really no useful answer that can be expected even if DSN queries were made. A usual case is that the client initially has no IP address and EAPOL is used directly over the LAN. So there's no IP connectivity to make DNS queries and no peer IP address to verify with a DNS PTR lookup. > I realize each client can have a different implementation. Is it even > possible to legitimately verify a certificate hostname for clients using > PEAP and EAP? I'd like to be as secure as possible without resorting to > client-side certificates. See eduroam CAT and the docs eduroam folks have created. I think they would be very useful to you especially if you are considering adding eduroam connectivity. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator