EAP-TTLS/PAP -> LDAP for WPA2

Stefan Winter stefan.winter at restena.lu
Fri Jul 7 17:53:47 CEST 2006


Hi,

> I'm very impressed. I installed this and all of my complaints and
> concerns are answered! Now, i'm assuming and hoping the linux wpa
> supplicant also supports this...

Sure thing :-) It's Free Open Source Software after all :-)

> > Uh. You should consider that you will have _no_ link-layer encryption
> > when using captive portals. And connections can be hijacked. And with a
> > shared key, you have no accountability. And the shared key will flow over
> > the net unencrypted, so anyone can pick it up and abuse your network.
> > OTOH, what's so secret about a user name? User names are the _public_
> > parts of credentials, it's the passwords that are critical.
> > If you really don't want usernames to be important at all, use EAP-TLS.
> > The client certificate will identify you, no matter what garbage you put
> > into the user name.
> > Captive portals are a step back with regards to security.
>
> Well, i was going to use wpa2 with a preshared key which would provide
> the link-layer encryption (as i understand it) but then require a
> username and password as another step in case the key got leaked. You're
> right about the accountability, but are you sure about the shared key
> going over the net unencrypted? This doesn't sound right...

You would need to have the user enter his username and password on the captive 
portal server. From there on up to the RADIUS server, it would be clear text 
(unless you do some black magic with a PAP to EAP-TTLS gateway, which is 
possible, but no fun). The wireless link would be encrypted though, so it 
wouldn't be as bad as *just* the captive portal.

> Since we're talking about our ldap directory, which we use for pretty
> much *everything*, having a list of usernames gives an attacker a
> starting point for trying brute force attacking. This could also be used
> as a starting point for identity theft or spamming.

That's pretty much arguable. If you indeed use that username for "everything" 
the probability that it is spied as the user enters it somewhere, leaves it 
on a scrap paper, tells it his "best friend" while having a beer etc. is 
*far* higher than someone sniffing IP traffic between your supplicant and 
your RADIUS server. Unless the RADIUS server is at the other end of the 
world.

> EAP-TLS probably is the most secure way to do things though it does
> require installing certs. I'll definitely be giving it consideration

That's for the hardcore paranoid people, right. But if you are happy with 
SecureW2 and EAP-TTLS: that's perfectly fine.

> Thanks again for all your help - i'm feeling pretty happy with my setup
> now,

Great!

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg





More information about the Freeradius-Users mailing list