- Tell your users to alert immediatly in case of lost/stolen phone - Client certificate revocation of stolen/lost phones - Appropriate (not too long) client certificate validity time - Lost phones MAC addresses blocking - Verify this rule with Radius logs: One certificate/One MAC (no certificate share with numerous devices) - Phones flash memories encrypted - Use a Mobile Device Management - User authentication on corporate applications once connected on wifi network ...? Denis. On 24/08/2018 13:06, Elias Pereira wrote:
Thanks for all clarification about the eap- * configs.
How can I mitigate the security issue if I do not use password for personal certificate?
On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev@jisc.ac.uk> wrote:
On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
If your concern is about to authenticate devices (smartphones) and not users for sure (think of stolen phones), Client certificates should do the job.
If the private key for the client certificate is encrypted and requires a password, you can authenticate the user too and not just the device. That said, most of the time wifi passwords are stored in the phone and not required to connect.
Nik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html