How to enable only EAP-TTLS type and not EAP-TLS?
Reimer Karlsen-Masur, DFN-CERT
karlsen-masur at dfn-cert.de
Thu Jan 10 16:06:52 CET 2008
Stefan Winter wrote on 10.01.2008 15:51:
> Hi,
>
>> If the supplicant is not configured that strictly, at the end of the day it
>> does not matter if you rolled your own self-signed RADIUS server cert or
>> you have a cert with its root CA pre-installed.
>
> Actually, It's not quite the same: if the user at least managed to enable to
> CA checking, then
>
> - for a commercial CA, thousands of untrusted hosts match his check
> - for a self-signed CA, only one server matches
> - for a dedicated RADIUS Auth CA, only servers within the administrative reach
> which are trusted to handle user authentications anyway match
>
> This *is* a win in security vs. commercial CAs.
agreed when you turn off 2/3 of the possible checks, but if he is that
unexperienced as many users are, it is easy to trick them into
installing/trusting a new rogue CA or self-signed rogue RADIUS server
certificate anyway. Don't forget: The user desperately wants his internet
connection....
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5939 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080110/5e8a50cf/attachment.bin>
More information about the Freeradius-Users
mailing list