working with vouchers
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jul 10 10:29:59 CEST 2012
On 07/09/2012 06:30 PM, Andreas Meyer wrote:
> Ok, thank you for the hints! Everything is getting clearer by and by.
> I just found out that I get entry into the WLAN with an android smartphone
> by just using the username and password without using the ca.crt with
> PEAP/MSchap2. I read in the protocols-table that only with EAP-TLS
> certificates are used.
No, this is not true.
All TLS-based EAP methods REQUIRE a server cert - EAP-TLS, EAP-PEAP,
EAP-TTLS. If you aren't validating this server cert, you are vulnerable
to attack.
EAP-TLS is unique in that it also requires a CLIENT cert. TTLS/PEAP use
username/password to identify the client.
More information about the Freeradius-Users
mailing list