Freeradius vs Security
Sebastian Hagedorn
Hagedorn at uni-koeln.de
Tue Apr 2 15:48:13 CEST 2019
Hi,
our solution is to "force" our users to use an installer for their
settings. There is a free version of this kind of installer available here:
<https://cat.eduroam.org/>
This installer installs the root certificate in the certificate chain and
configures the client so that it actually checks the validity of the
certificate the RADIUS server presents – especially Android devices don't
usually do that.
--On 2. April 2019 um 10:32:17 -0300 Andre Forigato <andre.forigato at rnp.br>
wrote:
> I need to share information about the safety of Eduroam.
>
> If a hacker installs an access point with the name of Eduroam, and this
> access point points to a Freeradius server, it is possible that the
> malicious person sees all the logins and passwords in the Freeradius logs.
>
> How to avoid this situation? Should user institutions force their
> students to use personal certificates? (certificate issued by the
> institution itself to its students)
>
> Reaffirming that the idea here is how to make users of university
> institutions not fall into the trap of malicious people. Anyone can set
> up an access point pointing to a fake freeradius server. And these
> malicious people can get the username and password from all the devices
> that connect to the Eduroam access point.
>
> How can we solve this problem?
--
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:.
.:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
More information about the Freeradius-Users
mailing list