0

I have a little question. I am not sure but does clients need to resolve AAA Server via DNS and need to reach AAA Server if I use EAP-TTLS with GoDaddy x509 Certificates to verify the certificate on e.g. Mobile Devices?

I have a AAA Server in a separate Network installed which is only reachable for the authenticator (Wireless Controller). The Clients communicate with the AccessPoint. A hand full devices like Android are not able to connect the wireless because of certificate validation error. The other devices has no problems. You see the certificate of the server and after accept, the connection will be established. The AAA Server sends the full chain like RootCA, Intermediate and server certificate.

BR. Torsten

Torsten Wilms
  • 1

2 Answers2

0

No, the Wi-Fi client never talks directly to the AAA server via network (it doesn't have the RADIUS secret). It only validates the certificate against the user-provided domain name.

If you choose "Use system CA" in Android and fill in the (mandatory) "Domain name" field, it follows the same rules as domain_suffix_match in Linux wpa_supplicant.

I would recommend testing the APs with a Linux client running wpa_supplicant. Alternatively, you can use eapol_test (also comes as part of wpa_supplicant) to directly test its EAP client against a RADIUS server.

user1686
  • 10,162
  • 1
  • 26
  • 42
  • Maybe I'm just on the hose. In my case, the certificate looks correct to me, and the complete chain seems to be included. But if I can't verify who is offering me the certificate, then I can't trust them. Otherwise any site could offer me a valid certificate from someone else and I would accept it. The assignment of the server + valid certificate must also be correct. Hence my question regarding the DNS server to resolve the DNS names that are in the certificate. – Torsten Wilms Jun 29 '23 at 14:35
  • @TorstenWilms: Resolved to what? It's exactly the same as with TLS elsewhere: a TLS client _explicitly does not_ resolve domain names that are in the certificate; it verifies them exactly against the user's input (e.g. against the user-provided URL in case of HTTPS – or against the user-provided "domain name" field in case of WPA-Enterprise EAP). The server's actual IP address is irrelevant to the verification. – user1686 Jun 29 '23 at 19:28
  • @TorstenWilms: The idea of certificates isn't that they're verified by IP, or anything like that – they're verified by the public key that's within the certificate. The certificate you get is accompanied with a signature from the private key; **that's** what prevents any site from offering you certificates from another site. (It's why you had to install the private key into your AAA server, in addition to just the certificate alone.) – user1686 Jun 29 '23 at 19:29
0

It sounds like you need to add your Root CA and Intermediate CA certificates to the trust store of the Android devices.

DubStep
  • 270
  • 2
  • 9