802.1x with GoDaddy Certificates EAP-TTLS

Torsten Wilms

6/29/24, 1:45 PM

I have a little question. I am not sure but does clients need to resolve AAA Server via DNS and need to reach AAA Server if I use EAP-TTLS with GoDaddy x509 Certificates to verify the certificate on e.g. Mobile Devices?

I have a AAA Server in a separate Network installed which is only reachable for the authenticator (Wireless Controller). The Clients communicate with the AccessPoint. A hand full devices like Android are not able to connect the wireless because of certificate validation error. The other devices has no problems. You see the certificate of the server and after accept, the connection will be established. The AAA Server sends the full chain like RootCA, Intermediate and server certificate.

BR. Torsten

2 + 0

ssl-certificate

freeradius

Score:0

Server

user1686

6/29/24, 1:59 PM

No, the Wi-Fi client never talks directly to the AAA server via network (it doesn't have the RADIUS secret). It only validates the certificate against the user-provided domain name.

If you choose "Use system CA" in Android and fill in the (mandatory) "Domain name" field, it follows the same rules as domain_suffix_match in Linux wpa_supplicant.

I would recommend testing the APs with a Linux client running wpa_supplicant. Alternatively, you can use eapol_test (also comes as part of wpa_supplicant) to directly test its EAP client against a RADIUS server.

+ 3

Torsten Wilms

6/29/24, 2:35 PM

Maybe I'm just on the hose. In my case, the certificate looks correct to me, and the complete chain seems to be included. But if I can't verify who is offering me the certificate, then I can't trust them. Otherwise any site could offer me a valid certificate from someone else and I would accept it. The assignment of the server + valid certificate must also be correct. Hence my question regarding the DNS server to resolve the DNS names that are in the certificate.

user1686

6/29/24, 7:28 PM

@TorstenWilms: Resolved to what? It's exactly the same as with TLS elsewhere: a TLS client _explicitly does not_ resolve domain names that are in the certificate; it verifies them exactly against the user's input (e.g. against the user-provided URL in case of HTTPS – or against the user-provided "domain name" field in case of WPA-Enterprise EAP). The server's actual IP address is irrelevant to the verification.

user1686

6/29/24, 7:29 PM

@TorstenWilms: The idea of certificates isn't that they're verified by IP, or anything like that – they're verified by the public key that's within the certificate. The certificate you get is accompanied with a signature from the private key; **that's** what prevents any site from offering you certificates from another site. (It's why you had to install the private key into your AAA server, in addition to just the certificate alone.)

Score:0

Server

DubStep

6/29/24, 4:35 PM

It sounds like you need to add your Root CA and Intermediate CA certificates to the trust store of the Android devices.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: 802.1x with GoDaddy Certificates EAP-TTLS

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.