EAP-TLS computer authentication on Aerohive Radius "host/" problem

  • 1
  • Question
  • Updated 1 year ago
  • (Edited)
I would like to use EAP-TLS with computer authentication with the aerohive radius on the access point.
The problem is, windows 7 and 10 is sending the common name (CN) of the computer certificate with a leading host/ e.g. host/computer1.

The problem is, you can not revoke the access if you loose a certificate because of the following reasons:

1. Aerohive AAA Server Settings are not helpfull:
Option Query database to check if the user exist -> For TLS Authentication:
With this setting the EAP-Identity of the Client needs to be in the radius database. This option is useless for the security because the client can send an arbitrarily EAP-Identity.
So for security you also need "Check the common name in the certificate against the user for TLS authentication". But this dos not work for computer authentication because windows send host/CN.

2. It looks like the aerohive radius dosn't support Certificate Revocation List (CRL). So revoking the certificate is useless. Can somebody confirm?
This is so annoying, because the manual says, you need a CRL for the security!

http://docs.aerohive.com/330000/docs/help/english/6.8r7/hm/full/help.htm#config/auth/aaaServD.htm

Has somebody a solution for the problem?
Can I remove the host/ in the aerohive radius?
Can I remove the host/ in the EAP-Identity from windows machine?

Please Aerohive, care about security and implement CRL in you radius or give the user the option to remove the host/ prefix.
Also it would make much more sense, if you compare the CN of the computer certificate with the radius database. This would also solve the problem.

Thx
Photo of Christian Hilgers

Christian Hilgers

  • 2 Posts
  • 0 Reply Likes
  • security is ignored

Posted 1 year ago

  • 1

There are no replies.