AW: understanding
Heinrich, Sebastian
S.Heinrich at aos-stade.de
Fri Mar 30 09:46:06 CEST 2012
>>>> Actually the existing certificates in the certs subdirectory could
>>>> be
>> deleted but the authentification would work?
>>
>>> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2,
>>> then
>> you don't need certificates.
>>
>> But it would work with the standard certificates given in the certs
>> subdirectory. There is no security improveness by creating new
>> certificates
> Yes, there is.
> Once the TLS tunnel is established, the traffic inside it will be encrypted. Anyone sniffing traffic it the middle will be unable to decode it. So at minimum, it helps prevents user/password sniffing.
> The difference might not be obvious with PEAP-MSCHAPv2 vs plain MSCHAPv2, but it's VERY significant when comparing PAP vs TTLS-PAP or PEAP-GTC.
>> and using them for PEAP-EAP-MSCHAPv2 when you don't check them.
>> ... and that's why the recommendation is to CHECK them, and to successfully do that you usually need to have every client import the CA used to sign the server certs.
But a TLS tunnel can be established with the standard certificates given in the certs subdirectory. Creating new certificates is only a security improveness when checking them?
Is there any security improveness of creating new certificates and don't checking them?
Best Regards
Sebastian Heinrich
Techn. DV
Aluminium Oxid Stade GmbH
Johann-Rathje-Köser-Straße
21683 Stade
email S.Heinrich at aos-stade.de
web http://www.aos-stade.de
More information about the Freeradius-Users
mailing list