Date: Sat, 13 Jan 2018 15:41:57 +0100 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: freebsd-net@freebsd.org Subject: Re: Fwd: Re: Quasi-enterprise WiFi network Message-ID: <20180113144157.GA33988@plan-b.pwste.edu.pl> In-Reply-To: <20180113110739.GA20415@admin.sibptus.transneft.ru> References: <CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com> <20180107180422.GA46756@admin.sibptus.transneft.ru> <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> <CAOjFWZ5j%2BixKVc0cy6ik=BuU0nmpdUgFyePAVDouKmS=MM9vOg@mail.gmail.com> <20180108072035.GB52442@admin.sibptus.transneft.ru> <CAOjFWZ6XY2pHaVUqwSxL=hK9VdKh0ZdFMeHMdbhsDC=z8zngYw@mail.gmail.com> <20180113095553.GA19901@admin.sibptus.transneft.ru> <CAF6rxgkDugr=dcYptufVR71Fn9pdAtmxZfKe8QwQpChUN0ckTQ@mail.gmail.com> <20180113110739.GA20415@admin.sibptus.transneft.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 13, 2018 at 06:07:39PM +0700, Victor Sudakov wrote: > Eitan Adler wrote: > > On 13 January 2018 at 01:55, Victor Sudakov <vas@mpeks.tomsk.su> wrote: > > > > > > > > > Are there any network experts willing to look at the dump of RADIUS > > > traffic at http://noc.sibptus.ru/~sudakov/radius.pcap ? > >=20 > >=20 > > >From wireshark: PEAP / EAP-MD5-CHALLENGE >=20 > Eitan, do you mean it's EAP-MD5 encapsulated in PEAP (TLS tunnel)? >=20 > Why is the client not checking the server's certificate authenticity > and how do I make the client check it against a CA (if I need to)? =20 Dear =D0=92=D0=B8=D0=BA=D1=82=D0=BE=D1=80, Android client doesn't care for server certificate authenticity, so you don't have to install CA certificate, which was probably automatically generated by radius and written to file: /usr/local/etc/raddb/certs/ca.der=20 Windows and Mac clients do care for it, so the CA cert should be installed as a Trusted Root Certificate Authority for these clients. If you want to have 0 problems with Windows clients, I recommend building simple captive portal based on PF redirection and simple login page. The page could be written as a CGI script in Perl or PHP. I also recommend incorporating net-mgmt/pftabled to manage the PF table directly from this portal without any risk of privilege escalation. Bear also in mind, that all initial client request should be redirected by HTTP server with "Status: 302 Moved" response, otherwise the portal will not be properly discovered by clients, as it was pointed before.=20 --=20 Marek Zarychta --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAlpaGrIACgkQdZ/s//1S jSz+QggAwmr8irWMcEM7Xh5X4CmksoG+aYeTiiLIGk5UjC+r61+l5gnc2aD28Dr6 6vYqzyk1GwUne5mQnN8ypfbfIq4mgYaPwSgvkE/sytl4WWM5b6Wm8YogE2j/KWO3 7pkbmTowdG5oykTv4nIQ0lYQHbKUMtk1GhgpfN1xBZW3C+GzSe5fLpRmrpo6rw4V 62oEafA8sh0EUO/oW+6LGsM9PxHzlF6J+MWUqd2aJPokeSfL8A3XjviUOZ+Gl+zM MFr3Eg9Xq4DYu2oC1NnOIvYsw28f2pfrZOR2SXYw02R6ZZZKbwsw1kMn4dlbXVDP UWWl9dTmpuE0DYEnLx81WBNydcgjiw== =ezbZ -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180113144157.GA33988>