EAP-TTLS/PAP -> LDAP for WPA2
Laker Netman
laker_netman at yahoo.com
Thu Jul 13 00:11:49 CEST 2006
--- John Allman <allmanj at cp.dias.ie> wrote:
> Stefan Winter wrote:
> >> I'm searching through my dell wireless wlan card
> utility and i'm pretty sure
> >> i can't hide it. Are dell breaking any rfcs or
> other standards that i can
> >> take them up on?
> >
> > No. It's optional. If Dell doesn't do it, bad
> luck. But you can always install
> > a supplicant that does it, for example at
> www.securew2.com (very nice
> > supplicant, IMO).
>
> I'm very impressed. I installed this and all of my
> complaints and
> concerns are answered! Now, i'm assuming and hoping
> the linux wpa
> supplicant also supports this...
>
>
> > Uh. You should consider that you will have _no_
> link-layer encryption when
> > using captive portals. And connections can be
> hijacked. And with a shared
> > key, you have no accountability. And the shared
> key will flow over the net
> > unencrypted, so anyone can pick it up and abuse
> your network.
> > OTOH, what's so secret about a user name? User
> names are the _public_ parts of
> > credentials, it's the passwords that are critical.
> > If you really don't want usernames to be important
> at all, use EAP-TLS. The
> > client certificate will identify you, no matter
> what garbage you put into the
> > user name.
> > Captive portals are a step back with regards to
> security.
> >
>
> Well, i was going to use wpa2 with a preshared key
> which would provide
> the link-layer encryption (as i understand it) but
> then require a
> username and password as another step in case the
> key got leaked. You're
> right about the accountability, but are you sure
> about the shared key
> going over the net unencrypted? This doesn't sound
> right...
>
> Since we're talking about our ldap directory, which
> we use for pretty
> much *everything*, having a list of usernames gives
> an attacker a
> starting point for trying brute force attacking.
> This could also be used
> as a starting point for identity theft or spamming.
>
> EAP-TLS probably is the most secure way to do things
> though it does
> require installing certs. I'll definitely be giving
> it consideration
>
> Thanks again for all your help - i'm feeling pretty
> happy with my setup now,
>
> John
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
If your time allows the RADIUS book from O'Reilly is
an invaluable reference. It includes FreeRADIUS
specifics as well.
Laker
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Freeradius-Users
mailing list