Thank you all for the collaboration, Brian Julin Mathieu Simon Sebastian Hagedorn Hans Christian Alan DeKok And I especially thank Brian Julin for his help and explanation. We are implementing Eduroam in federal universities and also in government. And I was looking for help. Some universities have not agreed to use CAT Eduroam, and are developing their own applications for their users. And I am being questioned by several authorities about security, what would be the best security? For this reason I decided to consult our experts here in the list. Best Regards Att, André Luis Forigato ----- Mensagem original -----
De: "Brian Julin" <BJulin@clarku.edu> Para: "Andre Forigato" <andre.forigato@rnp.br>, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Enviadas: Terça-feira, 2 de abril de 2019 11:03:52 Assunto: Re: [EXT] Freeradius vs Security
Andre Forigato <andre.forigato@rnp.br> wrote:
I need to share information about the safety of Eduroam.
Not just eduroam... an advanced attacker can target any SSID.
If a hacker installs an access point with the name of Eduroam, and this access point points to a Freeradius server, it is possible that the malicious person sees all the logins and passwords in the Freeradius logs.
Not just FreeRADIUS, though it is probably the tool of choice, attackers can use any RADIUS server for this. It does not have to be the same kind of RADIUS server that the attacked institution uses.
How to avoid this situation? Should user institutions force their students to use personal certificates? (certificate issued by the institution itself to its students)
If you can, the safest way to do it is to provision all clients with a trusted root certificate for a local CA, and when doing so, lock the clients to a particular DN, and if possible, to a particular set of CA roots. How you can configure a client... depends a lot on the client. Not all clients are as safe as others. Old Androids are especially bad.
If you actually can install your own root on your clients, you can probably also use EAP-TLS without passwords. Many people prefer this system to MSCHAP or TTLS. The drawbacks are that usernames from the certificates will be easy to sniff out of the air (no privacy protection), and if a device is stolen, the user is unlikely to know how to revoke the certificate themselves, versus changing their password, which hopefully most of your users know how to do.
The second best way to do this is with a public CA. In this case to be safe you need your clients to configure to only trust certificates ending in a domain name for which no responsible CA will issue certificates to anyone but you. This puts a lot of trust in the public CA system, and it is very hard to get users to properly configure their devices. You also have to pay attention to when the public CA roots expire and which clients have which public CA roots in their default operating store. The advantage to this system is it is possible to set up a client securely entirely by hand if you know what you are doing... there is no need to download and install extra configuration profiles (except on OSX and iOS because they took away the options to secure things by hand a couple of years ago). The problem, of course, is that most users do not know what they are doing and they will just type in their password when asked and the client will not have the correct settings.
-- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------
NOTE: This message was trained as non-spam. If this is wrong, please correct the training as soon as possible.
Teach CanIt if this mail (ID 01XTq3TXw) is spam: Spam: https://antispam.rnp.br/canit/b.php?c=s&i=01XTq3TXw&m=39922a0b9c33&rlm=base&... Não spam: https://antispam.rnp.br/canit/b.php?c=n&i=01XTq3TXw&m=39922a0b9c33&rlm=base&... Esquecer voto: https://antispam.rnp.br/canit/b.php?c=f&i=01XTq3TXw&m=39922a0b9c33&rlm=base&...
(Corpo do link de treinamento em texto-puro) ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS