AES encrypted passwords

freeradius-users at freeradius-users at
Fri Sep 30 12:53:27 CEST 2016

On 30/09/16 11:25, Matthew Newton wrote:
> Most things will do EAP-TTLS/PAP these days. Windows XP/7 are the
> only real big exceptions I'm aware of. And if XP is a problem then
> that's the least of your issues.

I thought Windows 7 *did* support it.  (Out of the box, in case
that is not crystal clear!)

If it does not then it is a definite no-no - definitely lots of
users on our network still using W7.

I have even found some using XP and Vista in the last few months,
although I cannot tell from the Apache logs whether they are wired
or wifi.

> But then, you should install a client CA root cert with pretty
> much whichever EAP method you use, otherwise you risk the same
> problem, to a greater or lesser degree, depending on the inner
> method. So this is something you should be doing anyway.

As I indicated earlier - this side of things is not really my bag.
Mostly, I write code.

However I have just looked at the instructions we give to users
wishing to connect their Windows 8 machine to the wifi network
and have seen this:

  - Untick “Verify the server’s identity by validating the certificate”

So presumably we are at risk of people spoofing the SSID?

(although I believe the Aerohive kit has stuff to identify
and deal with what they call "rogue" access points).

More information about the Freeradius-Users mailing list