eduroam using Eap-ttls and securing user's password
Gerald Vogt
vogt at spamcop.net
Fri Jun 17 09:09:42 CEST 2011
On Fri, Jun 17, 2011 at 8:36 AM, <regemailster at gmail.com> wrote:
> This problem is even worse if the user is traveling at a partner's
> institution and using eduroam, in that if that partner insititution's RADIUS
> server has user-password logging enable, they too can see my user's
> password.
That's not correct. The "partner institution" (the place your user
visits) only proxies radius requests. They don't know what is inside.
They don't see any passwords from your users.
They would only see the password if one of your users incorrectly
tries to authentication against the "partner institution" domain. But
this should never happen if they set up eduroam correctly, set the
correct user name including the domain name of your institution and
also only accept the certificate of your radius server.
If the eduroam wireless connection is set up correctly on the computer
and the user uses it correctly the "partner institution" radius server
will only see the outer identity and then proxies the requests back to
your radius server. This requires correct settings on the user's
computer and knowledge not accept certificates or radius servers which
you did not configure before...
Gerald
More information about the Freeradius-Users
mailing list