TLS certificates authorities.

Alan DeKok aland at
Fri Sep 9 15:51:42 CEST 2016

On Sep 9, 2016, at 9:48 AM, Turner, Ryan H <rhturner at> wrote:
> To add an experience about this...  We 'used' to run EAP-TTLS with PAP (because of the Kerberos backend) for our secured wireless SSID.  We have about 8,000 access points and over 70,000 wireless users daily.  We had users configure their devices through Cloudpath (we now use SecureW2) to make sure that they require server certificate validation and that it was limited to a private CA.  I became concerned at the security implecations for users that did NOT onboard with the proper configurator (those people who manually configure their device and don't enter in anything to prevent MITM attacks).  I setup a honeypot with a freeRadius server on the backend by configuring a Linksys Router to broadcast our SSID.  The freeRadius on the backend was not configured with any of our stuff, and I ran it in debug mode.  Within 5 minutes, I have several credentials.

  We've done similar tests.  People just don't care about security, because it's not their area of expertise.

> We switched entirely to EAP-TLS within 6 months, and we've been that way for over 3 years now, onboarding hundreds of thousands of devices without issue in a large environment.  I strongly urge folks to get off username/password EAP types for wireless.  Too much risk.

  I agree.

  Alan DeKok.

More information about the Freeradius-Users mailing list