Freeradius vs Security
Mathieu Simon (Lists)
matsimon.lists at simweb.ch
Tue Apr 2 16:01:24 CEST 2019
Hi
As Sebastian already wrote (as I was writing this message), many eduroam
institutions - at least european ones for what I can confirm - offer
preconfigured profiles or install wizards through the eduroam CAT
service. These profiles will often both set CA the supplicant should
trust and the server (CN) it should verify: https://cat.eduroam.org/ *
This does not prevent users from manually configuring their supplicant
and ignore both CA and CN name on the certificate thus ending up with an
potentially insecure configuration exposing them to the scenario you
described.
CAT makes things often easier for end-users and protects them against
individual misconfiguration, but we can't stop users from hurting
themselves either. ;-)
-- Mathieu
More information about the Freeradius-Users
mailing list