windows users having trouble authenticating

David Mitchell mitchell at ucar.edu
Tue Aug 3 21:33:34 CEST 2010


Alan DeKok wrote:
> John Dennis wrote:
>> On 08/03/2010 01:30 PM, Alan DeKok wrote:
>>> Using a known root CA for RADIUS authentication isn't really
>>> recommended.
>> Why?
>>
>> P.S. just to clarify, it's not "using a known root CA for
>> RADIUS authentication", rather it's using a server cert signed by a
>> known root CA.
> 
>   Sure.
> 
>   It's because *anyone* can set up an AP, and a RADIUS server that your
> PC will accept.  If the AP has the same SSID as (say) your work, it will
> happily send your work username && login via EAP to the rogue AP.

The level of risk here varies depending on the EAP method. If you are
using EAP-TLS, the server only gets a copy of the certificate so there
is no risk of him stealing your credentials. With EAP-PEAP/MSCHAPv2 I
believe the attacker can get enough information to perform a dictionary
attack against your password which depending on it's strength may or may
not be a problem (I'm not certain about this one if somebody else wants
to chime in). And then there is EAP-TTLS where the rogue server will end
up with a cleartext copy of the username and password if the user can be
tricked into accepting the servers certificate.


>   The various EAP methods *should* have tied usernames (i.e. domains) to
> a field in the certificate.  e.g. a cert with CN "radius at example.com"
> should be sent logins for "user at example.com", but NEVER sent logins for
> "user at example.net"
> 
>   You should ONLY send your login credentials when you *know* who it is
> on the other end of the EAP conversation.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------



More information about the Freeradius-Users mailing list