understanding

Fajar A. Nugraha list at fajar.net
Fri Mar 30 11:38:53 CEST 2012


On Fri, Mar 30, 2012 at 4:18 PM, Heinrich, Sebastian
<S.Heinrich at aos-stade.de> wrote:
> We don't want to install certificates on the clients, but the problem
> that is given in wikipedia is that anybody can install an access point
> with the same ssid and a client that would connect with it would give
> him his MSCHAP encrypted username and password.

err ... no. It doesn't work that way.

> How easy is it to crack
> such a password?  An authentification wouldn't have happened but the
> attacker would have had the encrypted usernames and passwords.

They won't.

> problem because in my configuration that usernames and passwords are
> used for the active directory. So is it only secure to connect to the AD
> when checking the certificates? Or is there another possibility to make
> it secure without installing certificates?

It depends on how "secure" you want it to be. MSCHAPv2, even without
PEAP, is already more secure than PAP.

Alan said If you don't check the certs, they don't add security. I
highly respect his oppinion as a radius expert, however I still think
that using certificates, even when you don't check them, adds some
level of security, because it makes sniffing a little harder.

There's no argument, however, that the best implementation would be to
use your own root CA, AND install it on clients, AND configure the
client to check certificate.

Phil's mail here might give you more options and information:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg74875.html

-- 
Fajar


More information about the Freeradius-Users mailing list