On Fri, Sep 30, 2016 at 11:09:34AM +0100, Dom Latter wrote:
On 29/09/16 17:57, Bogdan Rudas via Freeradius-Users wrote:
Hello Dom,
Why don't you go with EAP-TTLS+PAP ? Plain-text password transferred over TLS-secured channel let you use any hashing algorithm you want in your
As far as I can work out, out-of-the-box support for this protocol only arrived for most things in about 2010. We'll have quite a lot of users still using machines older than that. I suspect that for commercial reasons, it's not an option. I can ask.
Most things will do EAP-TTLS/PAP these days. Windows XP/7 are the only real big exceptions I'm aware of. And if XP is a problem then that's the least of your issues.
database. Sure, you have to pay attention for proper device configuration with your CA certificate.
Do you mean a certificate needs to go on the device?
I have had a look at this: http://cloudessa.com/tips-and-tricks/how-to-setup-eap-ttls-with-inner-pap-au... for example and it does not look like a certificate *needs* installing.
It doesn't *technically* need installing. But then you're open to your devices talking to a rogue RADIUS server and giving their cleartext password away. So it's pretty stupid not to. They stopped their instructions before the big certificate warning appears on screen. With wireless, for example, this means little more than someone coming near your site advertising your SSID, and people hit the "trust this wireless network" button and immediately give their credentials away. So yes, it needs installing. But then, you should install a client CA root cert with pretty much whichever EAP method you use, otherwise you risk the same problem, to a greater or lesser degree, depending on the inner method. So this is something you should be doing anyway. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>