On 30/09/16 14:21, freeradius-users@latter.org wrote:
Is providing Dot11 but not verifying the certificate Good Enough in this instance? I would guess that you do not think so. Other comments would be welcome. I have not yet formed an opinion. I am moving towards Not Good Enough.
I don't think it is good enough. I tested this last year, by configuring a laptop to use its WiFi interface as an AP, broadcasting an SSID and running a local FreeRADIUS instance that was configured only to record the passwords that users sent to it. Our infosec manager was not happy about me harvesting live user authentications (for obvious reasons) so I built my honeypot in a Faraday cage in the engineering dept. Any clients who have configured their 802.1x profile properly would not speak to my fake RADIUS server. The lazy ones with the option unticked just blindly transmitted their password to my honeypot. It took under an hour to research and set up, and I used this as a demonstration with some dummy clients to show management that security is important. This proves that it's easy to do, and all I have to do is sit with my laptop in the foyer of an airport, etc, and I've got a list of usernames and passwords. Cheers, Jonathan -- Jonathan Gazeley Senior Systems Administrator IT Services University of Bristol