Taskforce Mobility Mailarchive
|
Subject |
Re: iPhone 2 |
|
From |
Tomasz Wolniewicz <twoln@xxxxxx> |
|
Date |
Mon, 21 Jul 2008 09:02:42 +0200 |
Interesting.
By the way, what was the certificate tat has been accepted? Certificate
of the Radius server, certificate of the CA?
What was the signing CA? GlobalSign or a self-signed one? Would a
connection be accepted fit the CA certificate was not previously in the
certificate store? is there a way to add a CA certificate to the
certificate store?
Would be interesting to know if accepting the certificate meant
accepting all servers signed by that CA or just this single server. If
the first is true (which would be true under Windows), then if you home
server is signed by a well-known CA and you accept all servers signed by
that CA and do not have a way to introduce a restriction on a server
name, then the resulting security would be zero.
This example probably shows one important aspect - PEAP rules. Whatever
we do, by using anything other then PEAP we are really making our users'
life miserable, with the possible exception of Windows XP (also SP3),
where PEAP is still difficult to set up. If we want to support users
with telephone-like devices, then we have to give them PEAP. If we are
giving PEAP to some, then why not to all?
Tomasz
Stefan Winter wrote:
Hi folks,
one of my colleagues was among the first-in-line to get an iPhone 2
(from Belgium, where it is unlocked by default and works with any SIM)
and tried eduroam first thing in the office.
The result: great. It asked for a username and password, presented the
certificate for inspection, and that was it. Didn't ask for any gory
details - the usual Apple user-friendlyness.
That made me think, however, and I took a closer look at the request:
there was no anonymous outer identity, it used "the" username for both
outer and inner request.
A reconnect did not pop up the certificate request again, so the
"click accept" is permanent it seems.
Taking a look at the inner auth request, it looked PEAPish. The
supplicant didn't seem to offer a choice to change that.
Greetings,
Stefan
--
Tomasz Wolniewicz
twoln@xxxxxx http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576