Enforcing cryptobinding

Alan DeKok aland at deployingradius.com
Fri Nov 22 19:42:45 CET 2019

On Nov 22, 2019, at 12:14 PM, Nik Mitev <nik at mitev.co.uk> wrote:
> I was looking at this article about the sycophant attack https://sensep
> ost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/ and the
> success of it reportedly hangs on whether cryptobinding is enforced or
> not.
> On NPS it is not enforced by default, but there is a "Disconnect
> clients without cryptobinding" setting that can be enabled.
> Can anyone confirm what is the FR default on cryptobinding and whether
> it can be changed in configuration? If it is not enabled by default,
> can it be enabled? If it is enabled by default, can it be disabled -
> inadvertently of on purpose.

  There is no standard for cryptographic binding for PEAP.  If you can find one, we're happy to implement it.

  There is a standard for TTLS, and FreeRADIUS enforces it by default. See:


 There is no way to disable it for TTLS.

  Alan DeKok.

More information about the Freeradius-Users mailing list