Security

Hello All, Currently we use self signed certificate for the radius servert certificate in CPMM(6.3.22) and things work fine. But i noticed the CN of the certificate doesn't match the server name and there is no SAN either, the threads here read either CN/SAN has to match the server name.

Is this supposed to work even without a matching CN/SAN ?

 For 802.1X authentication, the name does not have to match (although some like it to).  For HTTPS, it should match.  Please review the Certificates 101 for CPPM technote for more details on your options (attached).

Attachment(s)

CPPM - Certificates 101 Technote V1.0 .pdf   6.99 MB 1 version

Thanks for the clarification chris.

-Sundar

Also keep in mind that using a self-signed RADIUS certificate can expose credentials unless the cert is directly loaded onto all clients.

Hi Tim, Could you please brief about how self-signed CA can expose credentials or point to any exisitng link ?

We do push the certs through Windows GPO,

Thanks.

Sundar

If you are using Group Policy to configure the supplicant correctly (install cert, verify cert, verify common name, etc), then you having nothing to worry about.

BYOD devices will not have the CA for your cert since it is self-signed and many will choose to connect and NOT verify the server certificate which means you are opening your network up to Man in the middle attacks where credentials can be compromised.

Here's a great write-up:

http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-than-no.html

Thanks for the clarification Tim.

-Thanks

Sundar