Am 13.09.19 um 05:27 schrieb Tal Nur via Freeradius-Users:
I think I'm asking simple question.I installed FR 3.0.19 for eduroam and I used configuration files from eduroam.org. I noticed that my Windows clients must install CA certificate to successfully log in.My question is what type our EAP I should to use to allow them be authenticated without certificate?
Why would you want work without a CA cert on the client? The whole idea of 802.1X is about building an SSL/TLS tunnel WITH authentication first. Only then, sensitive data such as passwords, keys, MS-CHAPv2 data etc. is transmittted, protected by the tunnel. The CA sytem makes verifying a peer's identity manageable: You just need some 450+ CA certs in your store to be able to verify any server cert in the world (provided the cA in question has not been compomised). All the mainstream client OSs have these on board, and manufactureres update the collection along with the regular OS updates. If yours is missing, adding it to the trusted root certs is easy (manually, or by calling e.g. certutil). If your client does not verify the peer's cert, but blindly accepts it, you're all lost: An attacker can claim to be eduroam. Clients that don't verify the cert accept the false server's public key and build an SSL tunnel, but a bad one. The client transmits its credentials encryptedly and exclusively to the attacking server! This is known as the "Evil Twin" attack and has been explained here and elsewhere a hundred times. Windows clients are a bit special, though. With MS-CHAP, Microsoft, had attempted to create a Challenge-Response protocol that could do strong mutual auth without certs. That was back in the 1990eis when SSL/TLS was not yet established. While this is entirely possible, MS never got it right. The protocol survived and became a standard as MS-CHAPv2, but soon was proven to be insecure. So it needs a good tunnel WITH authentication to protect it, just as a plaintext password would. In the mean time, there IS a protocol like that called EAP-PWD and supported by FR, but I do not know of any Windows implementation. If you want to set up eduroam for a big number of BYOD devices, put your data including CA cert on cat.eduroam.org and have users use that. It will work for ~90% of devices. Sorry if I seem obsessed with Evil Twin, but "Encrypt without Auth" seems to be one of the major security fallacies of our time. (meraki.cisco.com told you to do so until recently, dozens of universities do, and the old GSM phone network does not even have a protocol in SS7 element to verify what network you're connecting to). Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg