moving from WPA2 to WPA2 Enterprise

Ben Humpert ben at an3k.de
Wed Jun 24 01:25:19 CEST 2015


2015-06-23 23:28 GMT+02:00 Jochen Demmer <jochen.demmer at peakwork.com>:
> So EAP-TTLS windows 7 doesn't support out of the box, right?
> I actually don't feel very comfortable with the idea of installing third party software on all machines.

The required software is used for many years by many people. For
example various universities provide it with their eduroam program to
enable their students and employees to use EAP-TTLS. Just do a quick
google for "SecureW2" and even the first two pages list plenty of
known universities.

But if you still don't want to use it: Why not using EAP-TLS? It's not
tunneled but supported by nearly everything, even Windows XP. And if
you want it to be very secure you could require users to enter the
private key password every time they use it and additionally store the
key/cert on a smartcard (yubikey neo).

> What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background?
> What about revocation lists? How do I take care of them?

You can add your own OID to your client certificates as Certificate
Policies (https://www.openssl.org/docs/apps/x509v3_config.html#Certificate-Policies)
and those can be used by RADIUS / LDAP.


More information about the Freeradius-Users mailing list