TLS certificates authorities.

Bogdan Rudas brudas at
Fri Sep 9 10:05:03 CEST 2016

On Fri, Sep 9, 2016 at 10:52 AM, Stefan Winter <stefan.winter at>

> Hi,
> > Could you please clarify you warning regarding client configuration? Some
> > systems allow my EAP-TTLS+PAP configuration out of the box, do you mean
> in
> > could be insecure? Are there any way to prevent client authentication
> > unless it have my CA installed?
> The TLS channel is the only line of defence against credential theft. If
> users choose to ignore security warnings related to the certificate,
> anyone can present an arbitrary certificate and the user's device will
> merrily deliver the password in cleartext to anyone who's asking.
> The situation is *slightly* less critical with TTLS-MSCHAPv2 or PEAP
> because at least they only transmit the NTHash of the user's password,
> not the cleartext.
> NTHash can meanwhile be broken rather trivially though, so this won't
> stop a determined attacker.
> Getting the cert validation done right really is the only working
> repellant against rogue AP+rogue RADIUS server attacks.
Thank you, Stefan.
This is clear for me. Are there are any EAP flavor that uses strong hash
and can handle SSID spoofing well?

Bogdan Rudas
Head of Minsk IT Support Department
Exadel Inc.
E-mail: brudas at
Skype ID: bogdan.rudas


CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.

More information about the Freeradius-Users mailing list