Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Christ Schlacta
lists at aarcane.org
Wed Sep 21 04:11:41 CEST 2011
Very true, thank you for pointing that out as well.
Note to anyone following:
If you use a certificate signed by a general authority (verisign for
example) then anyone with a verisign cert will be trusted in your place,
and able to "authenticate" your users, IE as a man in the middle.
They'll have access to the un-encrypted password payload (NT,
cleartext), which is a severe security compromise. That's why you
(should) always use an internal Certificate Authority, where you control
which certs are signed and distributed.
On 9/20/2011 00:31, Alan DeKok wrote:
> Christ Schlacta wrote:
>> I thought if you had a certificate signed by a trusted root CA, you were
>> good and didn't need to install anything on the client.
> It's true that you don't need to install anything on the client. It's
> *not* true that it's a good idea.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list