From owner-freebsd-net@freebsd.org  Sat Jan 13 14:57:12 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E645E6CED9
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sat, 13 Jan 2018 14:57:12 +0000 (UTC)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [89.188.221.64])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "plan-b.pwste.edu.pl", Issuer "plan-b.pwste.edu.pl" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id DE0AE68905
 for <freebsd-net@freebsd.org>; Sat, 13 Jan 2018 14:57:10 +0000 (UTC)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (zarychtam@localhost [127.0.0.1])
 by plan-b.pwste.edu.pl (8.15.2/8.15.2) with ESMTPS id w0DEfvYx034403
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Sat, 13 Jan 2018 15:41:57 +0100 (CET)
 (envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: (from zarychtam@localhost)
 by plan-b.pwste.edu.pl (8.15.2/8.15.2/Submit) id w0DEfvoR034400;
 Sat, 13 Jan 2018 15:41:57 +0100 (CET) (envelope-from zarychtam)
Date: Sat, 13 Jan 2018 15:41:57 +0100
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
To: Victor Sudakov <vas@mpeks.tomsk.su>
Cc: freebsd-net@freebsd.org
Subject: Re: Fwd: Re: Quasi-enterprise WiFi network
Message-ID: <20180113144157.GA33988@plan-b.pwste.edu.pl>
References: <CAOjFWZ6kYSTKmPHpQqd+ywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com>
 <20180107180422.GA46756@admin.sibptus.transneft.ru>
 <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu>
 <CAOjFWZ5j+ixKVc0cy6ik=BuU0nmpdUgFyePAVDouKmS=MM9vOg@mail.gmail.com>
 <20180108072035.GB52442@admin.sibptus.transneft.ru>
 <CAOjFWZ6XY2pHaVUqwSxL=hK9VdKh0ZdFMeHMdbhsDC=z8zngYw@mail.gmail.com>
 <20180113095553.GA19901@admin.sibptus.transneft.ru>
 <CAF6rxgkDugr=dcYptufVR71Fn9pdAtmxZfKe8QwQpChUN0ckTQ@mail.gmail.com>
 <20180113110739.GA20415@admin.sibptus.transneft.ru>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD"
Content-Disposition: inline
In-Reply-To: <20180113110739.GA20415@admin.sibptus.transneft.ru>
User-Agent: Mutt/1.9.2 (2017-12-15)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jan 2018 14:57:12 -0000


--HlL+5n6rz5pIUxbD
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 13, 2018 at 06:07:39PM +0700, Victor Sudakov wrote:
> Eitan Adler wrote:
> > On 13 January 2018 at 01:55, Victor Sudakov <vas@mpeks.tomsk.su> wrote:
> > >
> > >
> > > Are there any network experts willing to look at the dump of RADIUS
> > > traffic at http://noc.sibptus.ru/~sudakov/radius.pcap ?
> >=20
> >=20
> > >From wireshark: PEAP / EAP-MD5-CHALLENGE
>=20
> Eitan, do you mean it's EAP-MD5 encapsulated in PEAP (TLS tunnel)?
>=20
> Why is the client not checking the server's certificate authenticity
> and how do I make the client check it against a CA (if I need to)?
=20
Dear =D0=92=D0=B8=D0=BA=D1=82=D0=BE=D1=80,

Android client doesn't care for server certificate authenticity, so you
don't have to install CA certificate, which was probably automatically
generated by radius and written to file:
/usr/local/etc/raddb/certs/ca.der=20

Windows and Mac clients do care for it, so the CA cert should be
installed as a Trusted Root Certificate Authority for these clients.

If you want to have 0 problems with Windows clients, I recommend building
simple captive portal based on PF redirection and simple login page.

The page could be written as a CGI script in Perl or PHP.
I also recommend incorporating net-mgmt/pftabled to manage the PF table
directly from this portal without any risk of privilege escalation.

Bear also in mind, that all initial client request should be redirected
by HTTP server with "Status: 302 Moved" response, otherwise the portal
will not be properly discovered by clients, as it was pointed before.=20

--=20
Marek Zarychta

--HlL+5n6rz5pIUxbD
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAlpaGrIACgkQdZ/s//1S
jSz+QggAwmr8irWMcEM7Xh5X4CmksoG+aYeTiiLIGk5UjC+r61+l5gnc2aD28Dr6
6vYqzyk1GwUne5mQnN8ypfbfIq4mgYaPwSgvkE/sytl4WWM5b6Wm8YogE2j/KWO3
7pkbmTowdG5oykTv4nIQ0lYQHbKUMtk1GhgpfN1xBZW3C+GzSe5fLpRmrpo6rw4V
62oEafA8sh0EUO/oW+6LGsM9PxHzlF6J+MWUqd2aJPokeSfL8A3XjviUOZ+Gl+zM
MFr3Eg9Xq4DYu2oC1NnOIvYsw28f2pfrZOR2SXYw02R6ZZZKbwsw1kMn4dlbXVDP
UWWl9dTmpuE0DYEnLx81WBNydcgjiw==
=ezbZ
-----END PGP SIGNATURE-----

--HlL+5n6rz5pIUxbD--