Hi,
Could you please clarify you warning regarding client configuration? Some systems allow my EAP-TTLS+PAP configuration out of the box, do you mean in could be insecure? Are there any way to prevent client authentication unless it have my CA installed?
The TLS channel is the only line of defence against credential theft. If users choose to ignore security warnings related to the certificate, anyone can present an arbitrary certificate and the user's device will merrily deliver the password in cleartext to anyone who's asking. The situation is *slightly* less critical with TTLS-MSCHAPv2 or PEAP because at least they only transmit the NTHash of the user's password, not the cleartext. NTHash can meanwhile be broken rather trivially though, so this won't stop a determined attacker. Getting the cert validation done right really is the only working repellant against rogue AP+rogue RADIUS server attacks. Funny enough, this situation is explained extensively on www.freeradius.org :-) http://freeradius.org/enterprise-wifi.html (look at "User Device Configuration") Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66