How to enable only EAP-TTLS type and not EAP-TLS?

Fri Jan 11 08:13:24 CET 2008

> however, this puts the security on the client end...and they'll still
> get a connection with the proper server even if they've ommitted
> all the checks.  this is bad generally - you need to have a way
> of the server checking that these client settings are enforced.
> oh well.  I guess thats what locked-down desktops, corporate images,
> GPO pushed settings etc are all for.  not handy for supporting
> the average user.

That road is painful. What we've come up so far with is supplying 
pre-configured supplicants (SecureW2) that bring the proper CA certificate 
along and set the expected CN automatically. It can even be preconfigured to 
auto-discard any other certificates, which doesn't give the user any 
opportunity to mess around.
Of course, that is just pre-setting checkboxes in the supplicant. If a user 
*really* wants to sacrifice security for getting online cheap and easy on 
possible fraud networks, he can still toggle the settings manually later and 
shoot himself in the foot with it.

For the built-in supplicant in XP/Vista: it generally sucks. There is the 
new "Wireless Native API" that is supposed to allow scripted auto-setups of 
802.1X settings for an SSID, but we haven't tested if that's really 
practical. If you can find a student to code on that API, please go ahead :-)

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080111/62922b90/attachment.pgp>