Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎04-25-2012

RADIUS server certificate

Hello All, Currently we use self signed certificate for the radius servert certificate in CPMM(6.3.22) and things work fine. But i noticed the CN of the certificate doesn't match the server name and there is no SAN either, the threads here read either CN/SAN has to match the server name.

 

Is this supposed to work even without a matching CN/SAN ?

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: RADIUS server certificate

[ Edited ]

 For 802.1X authentication, the name does not have to match (although some like it to).  For HTTPS, it should match.  Please review the Certificates 101 for CPPM technote for more details on your options (attached).

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 13
Registered: ‎04-25-2012

Re: RADIUS server certificate

Thanks for the clarification chris.

 

 

-Sundar

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: RADIUS server certificate

Also keep in mind that using a self-signed RADIUS certificate can expose credentials unless the cert is directly loaded onto all clients.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 13
Registered: ‎04-25-2012

Re: RADIUS server certificate

Hi Tim, Could you please brief about how self-signed CA can expose credentials or point to any exisitng link ?

 

We do push the certs through Windows GPO,

 

Thanks.

Sundar

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: RADIUS server certificate

If you are using Group Policy to configure the supplicant correctly (install cert, verify cert, verify common name, etc), then you having nothing to worry about.


BYOD devices will not have the CA for your cert since it is self-signed and many will choose to connect and NOT verify the server certificate which means you are opening your network up to Man in the middle attacks where credentials can be compromised.

 

Here's a great write-up:

http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-than-no.html

 

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 13
Registered: ‎04-25-2012

Re: RADIUS server certificate

Thanks for the clarification Tim.

 

-Thanks

Sundar

Search Airheads
Showing results for 
Search instead for 
Did you mean: