Freeradius vs Security
alan.buxey at gmail.com
Tue Apr 2 20:05:05 CEST 2019
> And I am being questioned by several authorities about security, what would be the best security?
> For this reason I decided to consult our experts here in the list.
depends on what the institution is capable and willing to do. the
best would be a local root CA with EAP-TLS, so
there are no passwords being used - a MitM attack would just fail -
they wouldnt have relevant server cert or root.
if the site can work on good documentation/communication and ensure
users are using provisioning client, then EAP-TTLS
or EAP-PEAP with a local root CA (once again, to ensure that anyone
attacking couldnt have a valid cert - as anyone can get
a cert thats signed by public CA that a device just trusts).
another option is to couple the deployment of eduroam with ANOTHER
source of authentication - ie have a seperate/different
password for eduroam so that even if the client was compromised or
lost/stolen, those credentials dont give access to
email/computing resources etc. - several sites in the UK do this method
education is the main thing though - ensure users configure their
device correctly, dont just click on 'okay/accept' whenever
such a thing arises.
it will never be perfect as these are end users...the same who do
respond to phishing emails or use the same password
on many 3rd party systems so when those get p0wned the user account
gets abused globally :(
if you search the mailing list archives you'll see this question and
attack vector mentioned a couple of times a year
More information about the Freeradius-Users