more EAP/TTLS trouble

alan buxey A.L.M.Buxey at
Wed May 30 16:32:33 CEST 2012


> It's a frustrating situation because if Windows were to support all of
> the encryption features that their competition does, indeed, that my
> _phone_ supports, I would not need to compromise. I personally believe
> a company can deliver a top product without sacrificing their profit
> margin. Microsoft falls short of this, and here we have a perfect
> example of precisely how. I also think their tiered version method
> they introduced with Vista is dishonest, as a result of this. But
> we're getting off track.

...but whilst you worry about the server (which you can secure) you are happy with
EAP-TTLs/PAP - which, whilst it lets you do your secure server stuff, means
that you can have users with badly configured clients which dont do the
required CA checking or RADIUS CN checking - who will then quite happily send me,
running a nasty MiTM attack RADIUS server, their username+password.

your worries seem to be at the wrong end of the security mix. where YOU control
the security ecpsystem you can do other things...after all, your RADIUS server can quite happily
log in clear text your secure things..


More information about the Freeradius-Users mailing list