Freeradius vs Security

Tue Apr 2 15:44:15 CEST 2019

On Apr 2, 2019, at 9:32 AM, Andre Forigato <andre.forigato at rnp.br> wrote:
> I need to share information about the safety of Eduroam.

  The system has been built by people who know what they're doing.

> If a hacker installs an access point with the name of Eduroam, and this access point points to a Freeradius server, it is possible that the malicious person sees all the logins and passwords in the Freeradius logs.

  That's not true.

> How to avoid this situation? Should user institutions force their students to use personal certificates? (certificate issued by the institution itself to its students)

  You should read the specifications to see how the protocols actually work.

> Reaffirming that the idea here is how to make users of university institutions not fall into the trap of malicious people. Anyone can set up an access point pointing to a fake freeradius server. And these malicious people can get the username and password from all the devices that connect to the Eduroam access point.

  Again, that's not true.

> How can we solve this problem?

  Understand how things work before you claim that they're broken.

  Alan DeKok.