Andre Forigato <andre.forigato@rnp.br> wrote:
I need to share information about the safety of Eduroam.
Not just eduroam... an advanced attacker can target any SSID.
If a hacker installs an access point with the name of Eduroam, and this access point points to a Freeradius server, it is possible that the malicious person sees all the logins and passwords in the Freeradius logs.
Not just FreeRADIUS, though it is probably the tool of choice, attackers can use any RADIUS server for this. It does not have to be the same kind of RADIUS server that the attacked institution uses.
How to avoid this situation? Should user institutions force their students to use personal certificates? (certificate issued by the institution itself to its students)
If you can, the safest way to do it is to provision all clients with a trusted root certificate for a local CA, and when doing so, lock the clients to a particular DN, and if possible, to a particular set of CA roots. How you can configure a client... depends a lot on the client. Not all clients are as safe as others. Old Androids are especially bad. If you actually can install your own root on your clients, you can probably also use EAP-TLS without passwords. Many people prefer this system to MSCHAP or TTLS. The drawbacks are that usernames from the certificates will be easy to sniff out of the air (no privacy protection), and if a device is stolen, the user is unlikely to know how to revoke the certificate themselves, versus changing their password, which hopefully most of your users know how to do. The second best way to do this is with a public CA. In this case to be safe you need your clients to configure to only trust certificates ending in a domain name for which no responsible CA will issue certificates to anyone but you. This puts a lot of trust in the public CA system, and it is very hard to get users to properly configure their devices. You also have to pay attention to when the public CA roots expire and which clients have which public CA roots in their default operating store. The advantage to this system is it is possible to set up a client securely entirely by hand if you know what you are doing... there is no need to download and install extra configuration profiles (except on OSX and iOS because they took away the options to secure things by hand a couple of years ago). The problem, of course, is that most users do not know what they are doing and they will just type in their password when asked and the client will not have the correct settings.