I'm aware of an attack on a bank which had implemented EAP, and had fun when a Pen tester was simply getting domain login credentials without having to work much at all. Could you maybe provide a rebuttal for this attack? and/or explain how to make it especially secure? On Tue, Apr 7, 2009 at 8:28 AM, Alan DeKok <aland@deployingradius.com> wrote:
Arran Cudbard-Bell wrote:
Ohh are you referring to the scaremongering 'The Register' was doing last year? Because of course, anyone with a hacked copy of FreeRADIUS can steal all your users credentials !
Unfortunately, people read his column, and believe him. They might also believe that he actually writes his own material.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Random quote of the week/month/whenever i get to updating it: "Opportunity knocked. My doorman threw him out." - Adrienne Gusoff "At school you don't get parole, good behavior only brings a longer sentence." - The History Boys