EAP-TTLS/PAP -> LDAP for WPA2
laker_netman at yahoo.com
Thu Jul 13 00:11:49 CEST 2006
--- John Allman <allmanj at cp.dias.ie> wrote:
> Stefan Winter wrote:
> >> I'm searching through my dell wireless wlan card
> utility and i'm pretty sure
> >> i can't hide it. Are dell breaking any rfcs or
> other standards that i can
> >> take them up on?
> > No. It's optional. If Dell doesn't do it, bad
> luck. But you can always install
> > a supplicant that does it, for example at
> www.securew2.com (very nice
> > supplicant, IMO).
> I'm very impressed. I installed this and all of my
> complaints and
> concerns are answered! Now, i'm assuming and hoping
> the linux wpa
> supplicant also supports this...
> > Uh. You should consider that you will have _no_
> link-layer encryption when
> > using captive portals. And connections can be
> hijacked. And with a shared
> > key, you have no accountability. And the shared
> key will flow over the net
> > unencrypted, so anyone can pick it up and abuse
> your network.
> > OTOH, what's so secret about a user name? User
> names are the _public_ parts of
> > credentials, it's the passwords that are critical.
> > If you really don't want usernames to be important
> at all, use EAP-TLS. The
> > client certificate will identify you, no matter
> what garbage you put into the
> > user name.
> > Captive portals are a step back with regards to
> Well, i was going to use wpa2 with a preshared key
> which would provide
> the link-layer encryption (as i understand it) but
> then require a
> username and password as another step in case the
> key got leaked. You're
> right about the accountability, but are you sure
> about the shared key
> going over the net unencrypted? This doesn't sound
> Since we're talking about our ldap directory, which
> we use for pretty
> much *everything*, having a list of usernames gives
> an attacker a
> starting point for trying brute force attacking.
> This could also be used
> as a starting point for identity theft or spamming.
> EAP-TLS probably is the most secure way to do things
> though it does
> require installing certs. I'll definitely be giving
> it consideration
> Thanks again for all your help - i'm feeling pretty
> happy with my setup now,
> List info/subscribe/unsubscribe? See
If your time allows the RADIUS book from O'Reilly is
an invaluable reference. It includes FreeRADIUS
specifics as well.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
More information about the Freeradius-Users