Poodle and EAP?
Phil Mayers
p.mayers at imperial.ac.uk
Mon Oct 20 15:36:18 CEST 2014
On 20/10/14 14:24, Nick Lowe wrote:
> Incidentally, we now have TLS 1.2 in Windows for the relevant
> EAP-types after the last round of Windows Updates, currently disabled
> by default:
>
> https://support.microsoft.com/kb/2977292
>
> I am not quite sure why they don't default to 0xFC0 though for TLS
> 1.0, 1.1 and 1.2 support.
>
> Are there really EAP-terminating RADIUS servers out there that baulk
> on a TLS 1.1 or 1.2 Client Hello, not responding with TLS 1.0 where
> the newer protocol versions are not supported?
Almost certainly.
There are some controller-based wireless systems which "helpfully" have
the option of terminating the outer EAP, and only passing the inner EAP
along to the RADIUS servers; I wouldn't ever do that, but I bet people
who are would see all kinds of craziness.
I'm sympathetic to Microsoft not wanting to open that can of worms..
More information about the Freeradius-Users
mailing list