Re: EAP-TLS with certificates, can it be done without knowing the date and time ?
- From: Dan Williams <dcbw redhat com>
- To: Jürgen Benjamin Ronshausen <b r rie eu>
- Cc: networkmanager-list gnome org
- Subject: Re: EAP-TLS with certificates, can it be done without knowing the date and time ?
- Date: Wed, 26 Feb 2014 10:56:59 -0600
On Tue, 2014-02-25 at 09:55 +0100, Jürgen Benjamin Ronshausen wrote:
Hi,
regarding NetworkManger connecting to an EAP-TLS secured 802.1X network
that uses client server certificates.
I cannot find information on wether it or not it is possible to
authenticate as as supplicant against and authentication server without
knowing the shared date and time.
At the moment, this is not possible with NetworkManager. wpa_supplicant
does support this option (tls_disable_time_checks=1), however, so we
could potentially add it to NetworkManager and pass it down to the
supplicant.
I have seen an implementation from which i am pretty sure doesn't
provide the supplicant with the current date and time. (This board has
no battery for an RTC).
In my current setup if the supplicant doesn't know the shared date and
time authentication fails because the Authentication server rejects the
client certificate as invalid or expired.
Are there any means in 802.1X to supply the supplicant with the current
time before it tries to authenicate against the authentication server ?
This is pretty much impossible unless you have a 3G radio onboard. If
not, then you just have to disable the time checks, accept that security
is reduced, and then do something like NTP once you've connected to get
the correct time. Then possibly terminate the connection if the
server's certificate has expired.
Dan
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
