EAP-TTLS/PAP -> LDAP for WPA2
John Allman
allmanj at cp.dias.ie
Fri Jul 7 17:16:47 CEST 2006
Stefan Winter wrote:
>> I'm searching through my dell wireless wlan card utility and i'm pretty sure
>> i can't hide it. Are dell breaking any rfcs or other standards that i can
>> take them up on?
>
> No. It's optional. If Dell doesn't do it, bad luck. But you can always install
> a supplicant that does it, for example at www.securew2.com (very nice
> supplicant, IMO).
I'm very impressed. I installed this and all of my complaints and
concerns are answered! Now, i'm assuming and hoping the linux wpa
supplicant also supports this...
> Uh. You should consider that you will have _no_ link-layer encryption when
> using captive portals. And connections can be hijacked. And with a shared
> key, you have no accountability. And the shared key will flow over the net
> unencrypted, so anyone can pick it up and abuse your network.
> OTOH, what's so secret about a user name? User names are the _public_ parts of
> credentials, it's the passwords that are critical.
> If you really don't want usernames to be important at all, use EAP-TLS. The
> client certificate will identify you, no matter what garbage you put into the
> user name.
> Captive portals are a step back with regards to security.
>
Well, i was going to use wpa2 with a preshared key which would provide
the link-layer encryption (as i understand it) but then require a
username and password as another step in case the key got leaked. You're
right about the accountability, but are you sure about the shared key
going over the net unencrypted? This doesn't sound right...
Since we're talking about our ldap directory, which we use for pretty
much *everything*, having a list of usernames gives an attacker a
starting point for trying brute force attacking. This could also be used
as a starting point for identity theft or spamming.
EAP-TLS probably is the most secure way to do things though it does
require installing certs. I'll definitely be giving it consideration
Thanks again for all your help - i'm feeling pretty happy with my setup now,
John
More information about the Freeradius-Users
mailing list