Thursday, November 18, 2021

How Does a RADIUS Client/Supplicant Validate an Authentication Server?

Hey all,

Thanks in advance for your patience and time. I seem to have a fundamental misunderstanding about something. I am trying to understand how a RADIUS client/supplicant actually validates that the authentication server is who it claims to be.

When I go to a website like reddit.com in my browser--I typed that myself, and by extension my browser knows what service/platform I am trying to contact. We resolve the URL/DNS name to an IP address and establish a connection to that IP. My browser receives a certificate from the server when making that connection, and compares the common name on the certificate to the URL I typed in. If they match, the certificate is formatted correctly and my browser trusts the certificate authority that issued that certificate, then I can confirm that my connection will be encrypted, and that my traffic is going to the correct destination. If the common name does not match, then my browser gives me a warning: "Hey client, technically your communication will be encrypted when it is sent but we can't guarantee who is receiving this information on the other side--it seems fishy, do you want to continue?" Of course my browser usually makes many such connections to many webservers when I go to a single website, to pull content from different servers, but at the end of the day, we know what destination servers we want to talk to (URLs/DNS lookups), and can validate that the certificate belongs to those destinations (common name and trusting the issuing CA).

How in the world does this work with RADIUS? As the client I seemingly have know prior knowledge about the authentication server before I receive the server's certificate. I did not make a request to a specific destination--akin to typing in a URL in a browser--I am simply letting the authenticator arbitrate the communications between myself and the authentication server. Every explanation about the process I have come across seems to gloss over this idea. Does the client actually forego validating the identity of the server? Does it just say "the presented certificate is in the correct format, I am happy with the format of the common name and subject alternative name fields, the appropriate extended key usage type(s) are designated for this purpose of RADIUS authentication and I trust the root CA who issued the certificate--that's good enough!"? Under what circumstances would the client question the info contained in the CN and SAN fields of this certificate?

Bonus points to anyone who wants to elucidate exactly what is needed to create a valid (for all endpoints) third-party-signed certificate to be used in RADIUS authentication (I know wildcard certs are supposedly a no-no), but this information seems to be more readily available via Google than the answer to my previous question (even though there might be some conflicting info out there).

Thanks for your time!



No comments:

Post a Comment