-----Original Message----- From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, July 24, 2014 10:41 AM To: FreeRadius users mailing list Subject: Re: Freeradius authentification against Kerberos On Jul 23, 2014, at 3:47 PM, Alan DeKok <aland@deployingradius.com> wrote:
Wang, Yu wrote:
You can use third party plugins but I strongly discourage you to use EAP-TTLS with Kerberos/PAP because it has security holes.
Not really.
We use FreeRadius and NTLM.
It's 2014. MS-CHAP is only slightly harder to crack than PAP.
In searching more efficient method than NTLM, I looked into EAP-TTLS with Kerberos but a brother university network engineer showed me how a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I completely abandoned the idea of using it.
Please enlighten me.
Just to clarify for those reading the mailing list archives. The OP doesn't really understanding what he's talking about. TTLS-PAP is secure in itself. He is referring to MITMA executed by a rogue AP.
Yes, I was referring to MITM with a rogue AP broadcasting campus SSID and harvest username and password sent in clear.
As Alan the Alans state, MS-CHAP (PEAP/TTLS-MSCHAPv2) is only slightly harder to crack with a similar attack.
It is slightly better than cleartext password. The hacker has to crack it vs just uses it right away.
A modified version of FreeRADIUS was released to enable exactly those sorts of attacks a few years ago. Don't stop using TTLS-PAP, it's fine. MITMA is a reality, especially in academic environment. Do you have other safer options? EAP-TLS is very safe but can be costly.
Yu