AES encrypted passwords
Matthew Newton
mcn4 at leicester.ac.uk
Fri Sep 30 13:01:16 CEST 2016
On Fri, Sep 30, 2016 at 11:53:27AM +0100, freeradius-users at latter.org wrote:
> On 30/09/16 11:25, Matthew Newton wrote:
> >Most things will do EAP-TTLS/PAP these days. Windows XP/7 are the
> >only real big exceptions I'm aware of. And if XP is a problem then
> >that's the least of your issues.
>
> I thought Windows 7 *did* support it. (Out of the box, in case
> that is not crystal clear!)
It arrived in Windows 8.
> >But then, you should install a client CA root cert with pretty
> >much whichever EAP method you use, otherwise you risk the same
> >problem, to a greater or lesser degree, depending on the inner
> >method. So this is something you should be doing anyway.
>
> However I have just looked at the instructions we give to users
> wishing to connect their Windows 8 machine to the wifi network
> and have seen this:
>
> - Untick “Verify the server’s identity by validating the certificate”
Noooo :(
> So presumably we are at risk of people spoofing the SSID?
Yes
> (although I believe the Aerohive kit has stuff to identify
> and deal with what they call "rogue" access points).
And when the rogue Access Point is not within hearing distance of
your own APs? It sounds like a good feature, but it will again
only provide an illusion of security.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list