eduroam using Eap-ttls and securing user's password

[Reg Emailster]

Thanks Gerald for the reply.

Just to confirm, you are saying that at the partner's institution, the user's client will set up an encrypted channel all the way back to the client's home institution RADIUS server (determined using the login realm), and their plain password will be passed inside this encrypted channel? IIf that is the case, then I would feel a lot safer since the only place which can potentially see the password is the home institution RADIUS server which is not such a concern I guess.



On 17/06/2011, at 4:09 PM, Gerald Vogt wrote:

> On Fri, Jun 17, 2011 at 8:36 AM,  <regemailster at gmail.com> wrote:
>> This problem is even worse if the user is traveling at a partner's
>> institution and using eduroam, in that if that partner insititution's RADIUS
>> server has user-password logging enable, they too can see my user's
>> password.
> 
> That's not correct. The "partner institution" (the place your user
> visits) only proxies radius requests. They don't know what is inside.
> They don't see any passwords from your users.
> 
> They would only see the password if one of your users incorrectly
> tries to authentication against the "partner institution" domain. But
> this should never happen if they set up eduroam correctly, set the
> correct user name including the domain name of your institution and
> also only accept the certificate of your radius server.
> 
> If the eduroam wireless connection is set up correctly on the computer
> and the user uses it correctly the "partner institution" radius server
> will only see the outer identity and then proxies the requests back to
> your radius server. This requires correct settings on the user's
> computer and knowledge not accept certificates or radius servers which
> you did not configure before...
> 
> Gerald
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html