Thanks for the suggestion. Meanwhile I found the eapoltest is available in debian as separate package, and it appears to function https://packages.debian.org/bookworm/eapoltest I have other questions however: Is there an upgrade or current documentation that handles EAP-TTLS? Can you provide a link? because this is all I can find on your site about it, all the searches and throughclicking seem to lead to this same PDF from 2014 (Following "THE FREERADIUS IMPLEMENTATION GUIDE" (2014 network radius sarl)
chapter 6 -EAP authentication, Pg 46,47)
Further I read everywhere on internet that mschap and also mschapv2 is flawed microsoft advises not to use it https://learn.microsoft.com/en-us/windows/security/identity-protection/crede... some security sites show how to walk trough it's defense. https://www.kitploit.com/2021/09/assless-chaps-crack-mschapv2.html https://securityonline.info/assless-chaps-crack-mschapv2-challenge-responses... Thanks, Joost ----- Original Message -----
From: "Alan DeKok" <aland@deployingradius.com> To: "Joost Ringoot" <joost.ringoot@meteo.be>, "hostap" <hostap@lists.infradead.org> Sent: Thursday, 15 June, 2023 14:31:19 Subject: Re: compilation problem deprecated: Since OpenSSL 3.0
On Jun 15, 2023, at 6:30 AM, Joost Ringoot <joost.ringoot@meteo.be> wrote:
I am trying to compile eampol_test
"make eapol_test"
(Following "THE FREERADIUS IMPLEMENTATION GUIDE" (2014 network radius sarl) chapter 6 -EAP authentication, Pg 46,47)
That guide was written long before OpenSSL3 came out. It is very likely that's it's not relevant here.
I suggest looking at the hostap source.
$ git grep -i openssl3
That may be instructive.
Alan DeKok.
On Aug 29, 2023, at 7:05 AM, Joost Ringoot <joost.ringoot@meteo.be> wrote:
Meanwhile I found the eapoltest is available in debian as separate package, and it appears to function
That's good.
I have other questions however: Is there an upgrade or current documentation that handles EAP-TTLS?
I don't know what that means. Upgrade to... what? And how to "handle" EAP-TTLS? To configure EAP-TTLS for eapol_test, see the eapol_test documentation. FreeRADIUS also comes with sample eapol_test configurations for TTLS. See src/tests/*ttls*
Further I read everywhere on internet that mschap and also mschapv2 is flawed
Only if: a) you use plain MS-CHAP across the Internet without TLS b) you use PEAP, and the supplicant doesn't verify the server certificate. We did some tests in 2016 to show how easy it was to spoof WiFi, and steal passwords: https://networkradius.com/articles/2021/08/04/wifi-spoofing.html The good news is that supplicants have gotten better, and now are required to validate the server certificate. So I wouldn't worry too much. The real limitation is what database do you use to store passwords. If it's Active Directory, then you're stuck using PEAP/MS-CHAP, or TTLS/PAP. If you use a database with crypt'd passwords (e.g. Linux /etc/passwd), then you have to use TTLS/PAP. This is actually the recommended approach: https://networkradius.com/articles/2022/04/11/is-pap-secure.html What is more likely, someone steals the password for one machine, or someone steals your entire password database? And any spoofing AP attack for PEAP will also work for TTLS. The only fix is to use something like EAP-PWD, which doesn't send passwords over the link. I'm also working on a document for the IETF which deprecates insecure uses of RADIUS: https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/ That document addresses these issues, and more. In short, your choices for security are limited by what's available, and what's possible. A simple checklist for security is *not* the recommended approach. Simple panics about "PAP more secure than CHAP" or "MS-CHAP is insecure" don't help anyone. What is required is an educated approach to network security. Make your system as secure as possible given the constraints you work under. And fire any "security' person who insists that you follow a checklist approach. Alan DeKok.
participants (2)
-
Alan DeKok -
Joost Ringoot