eduroam using Eap-ttls and securing user's password
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jun 17 09:34:34 CEST 2011
On 06/17/2011 08:15 AM, Reg Emailster wrote:
> Thanks Gerald for the reply.
>
> Just to confirm, you are saying that at the partner's institution,
> the user's client will set up an encrypted channel all the way back
> to the client's home institution RADIUS server (determined using the
> login realm), and their plain password will be passed inside this
> encrypted channel?
Correct. In Eduroam, the EAP flows between a client and their home site.
The visited site is just a proxy, and only ever receives the final
per-session random crypto keys needed for WPA-Enterprise to encrypt the
wireless link.
However: a malicious visited (partner, as you call it) site or an
attacker impersonating an eduroam site could in theory try to terminate
the TTLS portion of the EAP. This is why "validate server certificate"
is so important. Be sure you instruct your clients to tick the
appropriate boxes.
More information about the Freeradius-Users
mailing list