Alan DeKok wrote:
John Dennis wrote:
On 08/03/2010 01:30 PM, Alan DeKok wrote:
Using a known root CA for RADIUS authentication isn't really recommended. Why?
P.S. just to clarify, it's not "using a known root CA for RADIUS authentication", rather it's using a server cert signed by a known root CA.
Sure.
It's because *anyone* can set up an AP, and a RADIUS server that your PC will accept. If the AP has the same SSID as (say) your work, it will happily send your work username && login via EAP to the rogue AP.
The level of risk here varies depending on the EAP method. If you are using EAP-TLS, the server only gets a copy of the certificate so there is no risk of him stealing your credentials. With EAP-PEAP/MSCHAPv2 I believe the attacker can get enough information to perform a dictionary attack against your password which depending on it's strength may or may not be a problem (I'm not certain about this one if somebody else wants to chime in). And then there is EAP-TTLS where the rogue server will end up with a cleartext copy of the username and password if the user can be tricked into accepting the servers certificate.
The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN "radius@example.com" should be sent logins for "user@example.com", but NEVER sent logins for "user@example.net"
You should ONLY send your login credentials when you *know* who it is on the other end of the EAP conversation.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------