working with vouchers

Phil Mayers p.mayers at
Tue Jul 10 10:29:59 CEST 2012

On 07/09/2012 06:30 PM, Andreas Meyer wrote:

> Ok, thank you for the hints! Everything is getting clearer by and by.
> I just found out that I get entry into the WLAN with an android smartphone
> by just using the username and password without using the ca.crt with
> PEAP/MSchap2. I read in the protocols-table that only with EAP-TLS
> certificates are used.

No, this is not true.

All TLS-based EAP methods REQUIRE a server cert - EAP-TLS, EAP-PEAP, 
EAP-TTLS. If you aren't validating this server cert, you are vulnerable 
to attack.

EAP-TLS is unique in that it also requires a CLIENT cert. TTLS/PEAP use 
username/password to identify the client.

More information about the Freeradius-Users mailing list