AES encrypted passwords

Matthew Newton mcn4 at leicester.ac.uk
Fri Sep 30 13:01:16 CEST 2016


On Fri, Sep 30, 2016 at 11:53:27AM +0100, freeradius-users at latter.org wrote:
> On 30/09/16 11:25, Matthew Newton wrote:
> >Most things will do EAP-TTLS/PAP these days. Windows XP/7 are the
> >only real big exceptions I'm aware of. And if XP is a problem then
> >that's the least of your issues.
> 
> I thought Windows 7 *did* support it.  (Out of the box, in case
> that is not crystal clear!)

It arrived in Windows 8.

> >But then, you should install a client CA root cert with pretty
> >much whichever EAP method you use, otherwise you risk the same
> >problem, to a greater or lesser degree, depending on the inner
> >method. So this is something you should be doing anyway.
> 
> However I have just looked at the instructions we give to users
> wishing to connect their Windows 8 machine to the wifi network
> and have seen this:
> 
>  - Untick “Verify the server’s identity by validating the certificate”

Noooo :(

> So presumably we are at risk of people spoofing the SSID?

Yes

> (although I believe the Aerohive kit has stuff to identify
> and deal with what they call "rogue" access points).

And when the rogue Access Point is not within hearing distance of
your own APs? It sounds like a good feature, but it will again
only provide an illusion of security.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list