Re: EAP-TLS with certificates, can it be done without knowing the date and time ?

On Tue, 2014-02-25 at 09:55 +0100, Jürgen Benjamin Ronshausen wrote:

regarding NetworkManger connecting to an EAP-TLS secured 802.1X network 
that uses client server certificates.

I cannot find information on wether it or not it is possible to 
authenticate as as supplicant against and authentication server without 
knowing the shared date and time.

At the moment, this is not possible with NetworkManager.  wpa_supplicant
does support this option (tls_disable_time_checks=1), however, so we
could potentially add it to NetworkManager and pass it down to the

I have seen an implementation from which i am pretty sure doesn't 
provide the supplicant with the current date and time. (This board has 
no battery for an RTC).

In my current setup if the supplicant doesn't know the shared date and 
time authentication fails because the Authentication server rejects the 
client certificate as invalid or expired.

Are there any means in 802.1X to supply the supplicant with the current 
time before it tries to authenicate against the authentication server ?

This is pretty much impossible unless you have a 3G radio onboard.  If
not, then you just have to disable the time checks, accept that security
is reduced, and then do something like NTP once you've connected to get
the correct time.  Then possibly terminate the connection if the
server's certificate has expired.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]