Freeradius authentification against Kerberos

Alan DeKok aland at
Sat Aug 2 10:59:49 CEST 2014

Wang, Yu wrote:
> Yes, I was referring to MITM with a rogue AP broadcasting campus SSID and harvest username and password sent in clear. 

  EAP doesn't work like that.

  The only way to harvest the username and password is:

 1) the AP has a copy of your server certificate (i.e. they've stolen it)

 2)  the user checks the "do not validate server certificate" box in
their EAP configuration.

> MITMA is a reality, especially in academic environment.

  PEAP and TTLS are designed to keep passwords secret from observers.

  TLS is designed to make MITM attacks impossible.

  So... whoever told you that TTLS was insecure didn't know what they
are talking about.  It's fine.

  Alan DeKok.

More information about the Freeradius-Users mailing list