EAP-TTLS/PAP -> LDAP for WPA2
John Allman
allmanj at cp.dias.ie
Fri Jul 7 11:47:41 CEST 2006
Stefan Winter wrote:
>
> The thing about anonymous outer identity is that it doesn't matter what you
> put in there. If your real name is "iamcool" and your password
> is "evencooler" you can happily send "foobar" as Identity. Authentication
> will only depend on what's inside the tunneled PAP request. Most supplicants
> allow to specify the outer identity to your liking.
> That said, there is one exception: if you are using roaming, the realm part of
> the username must be the correct one, otherwise the request can't be routed
> to the correct server.
>
"Most supplicants". So there's a chance that a supplicant might not do
so? Is the Identity in the EAP-Message in the first packet always the
same as the User-name i see in all packets? I'm searching through my
dell wireless wlan card utility and i'm pretty sure i can't hide it. Are
dell breaking any rfcs or other standards that i can take them up on?
This is quite worrying for me as it seems to make the setup quite
insecure instead of making it more secure as i had originally hoped.
Perhaps a shared key and a captive portal would provide better security.
I understand the weakness, but i dont see that it would be weaker than a
shared key alone and has the advantage of not allowing the username to
be read by any arbitrary person.
Thanks for the further explanation of the RADIUS protocol - i think i
will take your advice about the configuration files and leave well
enough alone:)
John
More information about the Freeradius-Users
mailing list