On Fri, Sep 30, 2016 at 11:53:27AM +0100, freeradius-users@latter.org wrote:
On 30/09/16 11:25, Matthew Newton wrote:
Most things will do EAP-TTLS/PAP these days. Windows XP/7 are the only real big exceptions I'm aware of. And if XP is a problem then that's the least of your issues.
I thought Windows 7 *did* support it. (Out of the box, in case that is not crystal clear!)
It arrived in Windows 8.
But then, you should install a client CA root cert with pretty much whichever EAP method you use, otherwise you risk the same problem, to a greater or lesser degree, depending on the inner method. So this is something you should be doing anyway.
However I have just looked at the instructions we give to users wishing to connect their Windows 8 machine to the wifi network and have seen this:
- Untick “Verify the server’s identity by validating the certificate”
Noooo :(
So presumably we are at risk of people spoofing the SSID?
Yes
(although I believe the Aerohive kit has stuff to identify and deal with what they call "rogue" access points).
And when the rogue Access Point is not within hearing distance of your own APs? It sounds like a good feature, but it will again only provide an illusion of security. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>