understanding

Fajar A. Nugraha list at fajar.net
Fri Mar 30 09:38:41 CEST 2012


On Fri, Mar 30, 2012 at 2:21 PM, Heinrich, Sebastian
<S.Heinrich at aos-stade.de> wrote:
>>> Actually the existing certificates in the certs subdirectory could be
> deleted but the authentification would work?
>
>> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then
> you don't need certificates.
>
> But it would work with the standard certificates given in the certs
> subdirectory. There is no security improveness by creating new
> certificates

Yes, there is.

Once the TLS tunnel is established, the traffic inside it will be
encrypted. Anyone sniffing traffic it the middle will be unable to
decode it. So at minimum, it helps prevents user/password sniffing.

The difference might not be obvious with PEAP-MSCHAPv2 vs plain
MSCHAPv2, but it's VERY significant when comparing PAP vs TTLS-PAP or
PEAP-GTC.

> and using them for PEAP-EAP-MSCHAPv2 when you don't check
> them.

... and that's why the recommendation is to CHECK them, and to
successfully do that you usually need to have every client import the
CA used to sign the server certs.

-- 
Fajar


More information about the Freeradius-Users mailing list