Trust root or leaf certificate in 802.1x setup?

1

I am setting up 802.1x via wired or wireless (WPA2 Enterprise) connections in our office, backed by a OneLogin RADIUS server. The certificate is not self-signed, so it's not clear to me whether it's safe to import it into the Trusted Root CA store, but that seems to be the only way to enable certificate checking.

The certificate chain looks like this:

  • *.us.onelogin.com
  • RapidSSL SHA256 CA - G3
  • GeoTrust Global CA (already in the Windows Trusted Root CA store)

The leaf and intermediate certificates are passed by the RADIUS server (verified using eapol_test).

If I only enable the GeoTrust Global CA in the Protected EAP settings window, I still get a warning in Windows 10, as if no certificate checking was enabled ("Continue connecting? If you expect to find in this location, go ahead and connect. Otherwise, it may be a different network with the same name."). The warning does not show if I import the OneLogin certificate in the Trusted Root CA store and enable it in the EAP settings. The "Connect to these servers" field is set to radius.us.onelogin.com, so a MitM attack doesn't seem possible with just the actual GeoTrust root certificate enabled?

Is this expected behaviour? This (unrelated) Lync support article says that the Trusted Root CA store should only store self-signed certificates (which makes sense), and could cause issues otherwise. Also, in this answer to a similar question, I see "Some clients might be convinced to trust [the leaf certificate] directly, but not all of them permit such direct trust, and it would mean trouble when that certificate expires."

Jan Fabry

Posted 2016-04-19T07:47:54.580

Reputation: 157

Does the RADIUS server actually send the correct intermediates (i.e. the RapidSSL cert)? Without it, the client couldn't possibly create the chain with missing links. Web browsers often paper over this problem by caching previously seen intermediates, so it's a very common misconfiguration. – user1686 – 2016-04-19T10:04:19.337

@grawity That's a good question, but I don't control the OneLogin RADIUS server, and I don't know how to see the certificates - openssl s_client is of no use here I think, as RADIUS works over UDP? – Jan Fabry – 2016-04-19T12:02:32.500

And more importantly, it wouldn't be RADIUS-in-TLS anyway, but TLS inside RADIUS... wpa_supplicant should show the chain in its debug output, and also comes with "eapol_test" which could be used for testing a server directly. – user1686 – 2016-04-19T15:33:33.633

1@grawity I tested it with eapol_test, and the intermediate certificate is also sent by the server. – Jan Fabry – 2016-04-20T18:30:36.207

No answers