Hi.
Let me provide a bit more depth to this answer:
Authentication happens a lot of places in moonshot.
The current answer seems to be confusing the authentication of the home
AAA server by the RP which is handled by trust router with the
authentication of the home AAA server/EAP server by the client.
I'll focus on the authentication of the home AAA server by the client.
Currently, that doesn't work ideally because of some bugs.
On Windows, you can select a certificate store in the msetup GUI.
If you do that, then any certificate chaining back to a trust anchor in
that certificate store will be accepted.
On Unix, there are a number of methods you can use.
The recommended method is to include the SHA 256 hash of the certificate
that will be used in EAP-TTLS in the XML file loaded into the Moonshot
UI to provision an identity.
Unfortunately, because of
https://bugs.launchpad.net/moonshot/+bug/1181391 the certificate is not
actually checked.
Fixing that bug is fairly high on my list.
Long-term we'll be including the same UI in the Windows product that we
have for the Unix product and will be using reasonably consistent
semantics for validation.
--Sam
|