EAP-TTLS/PAP -> LDAP for WPA2

Stefan Winter stefan.winter at restena.lu
Fri Jul 7 16:12:27 CEST 2006


> "Most supplicants". So there's a chance that a supplicant might not do
> so? 

Yes. It's implementation-specific. The Win XP built-in supplicant for example 
does not do it.

> Is the Identity in the EAP-Message in the first packet always the 
> same as the User-name i see in all packets?

Yes, that's what the RFC demands.

> I'm searching through my dell wireless wlan card utility and i'm pretty sure
> i can't hide it. Are dell breaking any rfcs or other standards that i can
> take them up on? 

No. It's optional. If Dell doesn't do it, bad luck. But you can always install 
a supplicant that does it, for example at www.securew2.com (very nice 
supplicant, IMO).

> This is quite worrying for me as it seems to make the setup quite
> insecure instead of making it more secure as i had originally hoped.
> Perhaps a shared key and a captive portal would provide better security.
> I understand the weakness, but i dont see that it would be weaker than a
> shared key alone and has the advantage of not allowing the username to
> be read by any arbitrary person.

Uh. You should consider that you will have _no_ link-layer encryption when 
using captive portals. And connections can be hijacked. And with a shared 
key, you have no accountability. And the shared key will flow over the net 
unencrypted, so anyone can pick it up and abuse your network.
OTOH, what's so secret about a user name? User names are the _public_ parts of 
credentials, it's the passwords that are critical.
If you really don't want usernames to be important at all, use EAP-TLS. The 
client certificate will identify you, no matter what garbage you put into the 
user name.
Captive portals are a step back with regards to security.

Greetings,

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060707/74b9ae95/attachment.pgp>


More information about the Freeradius-Users mailing list