Blue Light
Space shortcuts
Child pages
  • Installation

Versions Compared

Old Version 27

changes.mady.by.user Dyuman

Saved on

compared with

New Version 28

changes.mady.by.user Dyuman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
...
[ CA_default ]
...
default_days            = 732
...
crlDistributionPoints	= URI:http://server.test.av/test_ca.crl # This URL will not actually be implemented at the moment, but choose a URL where it is possible to in future make the file available

[ req ]
...
input_password	= password # Replace with an actual password, different from the one in server.cnf
output_password	= password # Replace with an actual password, should be same as input_password

[server]
countryName	= IN
stateOrProvinceName	= Tamil Nadu
localityName	= Auroville
organizationName	= Test
emailAddress	= admin@test.av
commonName	= "Test Server Certificate"
 
[v3_ca]
...
crlDistributionPoints	= URI:http://server.test.av/test_ca.crl
...

...

Code Block
...
[ xpclient_ext]
...
crlDistributionPoints = URI:http://server.test.av/test_ca.crl # This URL will not actually be implemented at the moment, but choose a URL where it is possible to in future make the file available
...
 
[ xpserver_ext]
...
crlDistributionPoints = URI:http://server.test.av/test_ca.crl # This URL will not actually be implemented at the moment, but choose a URL where it is possible to in future make the file available
...
Code Block
cd /etc/freeradius/3.0/certs
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* # This step is probably not needed, 
make ca.pem
make ca.der
make server.pem
make server.csr
chown freerad:freerad *
chmod o-rwx *
rm bootstrap
rm passwords.mk
# Delete all other files in the folder except: server.cnf, ca.cnf, xpextensions, Makefile, README, dh, ca.pem, server.pem, server.key

...

On Mac OS, iPhone and Windows 10 supplicants, when connecting to the SSID for the first time, the server certificate's details are presented to the user and the user is asked if they want to trust the server. In case the identity presented by the RADIUS server changes at any point, the user will be prompted with a message, not containing any reasonable warning, sadly, that looks identical to the one displayed when connecting for the first time, where a user is extremely likely to press Trust/Connect once again (on Windows 10, the message also advises the user to connect if they are in a location where said SSID is expected to be present). On Windows 10, in case the user does press Connect again, the supplicant stores both identities and thereon connects without further warning to any server presenting any of those identities, on Mac OS and iPhone this has not been tested. On Mac OS and Windows 10, it is also possible to copy the ca.pem file and install it, on iPhone, this did not seem to have any effect. This avoids the prompt on first connect and protects against a rogue RADIUS server intercepting the connection at that timeon the supplicant's first connection attempt, when, it would, otherwise, be still impossible to verify its authenticitydistinguish it from the authentic one. It seems to be possible, but greatly complicated (involving installing a software from the App Store, and using it to create a configuration profile which then needs to be saved to a file, copied and imported onto the supplicant device) on Mac OS and iPhone to configure the supplicant to not send the real user name in the unencrypted outer tunnel. On Windows 10 this is somewhat easier. '@@@' to verify. '@@@'