How to enable only EAP-TTLS type and not EAP-TLS?

Stefan Winter stefan.winter at restena.lu
Thu Jan 10 15:51:04 CET 2008


Hi,

> If the supplicant is not configured that strictly, at the end of the day it
> does not matter if you rolled your own self-signed RADIUS server cert or
> you have a cert with its root CA pre-installed.

Actually, It's not quite the same: if the user at least managed to enable to 
CA checking, then

- for a commercial CA, thousands of untrusted hosts match his check
- for a self-signed CA, only one server matches
- for a dedicated RADIUS Auth CA, only servers within the administrative reach 
which are trusted to handle user authentications anyway match

This *is* a win in security vs. commercial CAs.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080110/1d3dd529/attachment.pgp>


More information about the Freeradius-Users mailing list