Date: Sun, 14 Jan 2018 13:31:40 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> Cc: freebsd-net@freebsd.org Subject: Re: Fwd: Re: Quasi-enterprise WiFi network Message-ID: <20180114063140.GA28750@admin.sibptus.transneft.ru> In-Reply-To: <20180113144157.GA33988@plan-b.pwste.edu.pl> References: <CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com> <20180107180422.GA46756@admin.sibptus.transneft.ru> <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> <CAOjFWZ5j%2BixKVc0cy6ik=BuU0nmpdUgFyePAVDouKmS=MM9vOg@mail.gmail.com> <20180108072035.GB52442@admin.sibptus.transneft.ru> <CAOjFWZ6XY2pHaVUqwSxL=hK9VdKh0ZdFMeHMdbhsDC=z8zngYw@mail.gmail.com> <20180113095553.GA19901@admin.sibptus.transneft.ru> <CAF6rxgkDugr=dcYptufVR71Fn9pdAtmxZfKe8QwQpChUN0ckTQ@mail.gmail.com> <20180113110739.GA20415@admin.sibptus.transneft.ru> <20180113144157.GA33988@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Marek Zarychta wrote: > On Sat, Jan 13, 2018 at 06:07:39PM +0700, Victor Sudakov wrote: > > Eitan Adler wrote: > > > > > > > > > > > > Are there any network experts willing to look at the dump of RADIUS > > > > traffic at http://noc.sibptus.ru/~sudakov/radius.pcap ? > > > > > > > > > >From wireshark: PEAP / EAP-MD5-CHALLENGE > > > > Eitan, do you mean it's EAP-MD5 encapsulated in PEAP (TLS tunnel)? > > > > Why is the client not checking the server's certificate authenticity > > and how do I make the client check it against a CA (if I need to)? > > Dear Виктор, > > Android client doesn't care for server certificate authenticity, so you > don't have to install CA certificate, which was probably automatically > generated by radius and written to file: > /usr/local/etc/raddb/certs/ca.der $raddbdir/certs/{server,ca}.pem for the server and CA respectively, if I read mods-enabled/eap correctly. > > Windows and Mac clients do care for it, so the CA cert should be > installed as a Trusted Root Certificate Authority for these clients. This is bad news for me. However I'll report here when I have experimented with different supplicants. > > If you want to have 0 problems with Windows clients, I recommend building > simple captive portal based on PF redirection and simple login page. There are ready-to-use captive portals in pfSense and m0n0wall (I did not test the latter though), so I think there is no need for me to code in PHP or whatever. What I'm trying to avoid is deploying a dedicated FreeBSD/pfSense box at remote hotspots. And the TL-WR740N router/AP does not do any traffic tunneling via a central hub (or I have not found a way to enable it). Do you know how commercial captive portals handle this problem? Do they install their own box near every customer's AP? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180114063140.GA28750>