Freeradius vs Security

Andre Forigato andre.forigato at rnp.br
Tue Apr 2 16:58:18 CEST 2019 

Thank you all for the collaboration,

Brian Julin
Mathieu Simon
Sebastian Hagedorn
Hans Christian
Alan DeKok

And I especially thank Brian Julin for his help and explanation.

We are implementing Eduroam in federal universities and also in government. And I was looking for help.
Some universities have not agreed to use CAT Eduroam, and are developing their own applications for their users.

And I am being questioned by several authorities about security, what would be the best security?
For this reason I decided to consult our experts here in the list.

Best Regards

Att,
André Luis Forigato 

----- Mensagem original -----
> De: "Brian Julin" <BJulin at clarku.edu>
> Para: "Andre Forigato" <andre.forigato at rnp.br>, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Enviadas: Terça-feira, 2 de abril de 2019 11:03:52
> Assunto: Re: [EXT] Freeradius vs Security

> Andre Forigato <andre.forigato at rnp.br> wrote:
>> I need to share information about the safety of Eduroam.
> 
> Not just eduroam... an advanced attacker can target any SSID.
> 
>> If a hacker installs an access point with the name of Eduroam, and this
>> access point points to a Freeradius server, it is possible that the malicious
>> person sees all the logins and passwords in the Freeradius logs.
> 
> Not just FreeRADIUS, though it is probably the tool of choice, attackers
> can use any RADIUS server for this.  It does not have to be the same
> kind of RADIUS server that the attacked institution uses.
> 
>> How to avoid this situation? Should user institutions force their students
>> to use personal certificates? (certificate issued by the institution itself to
>> its students)
> 
> If you can, the safest way to do it is to provision all clients with
> a trusted root certificate for a local CA, and when doing so, lock the clients
> to a particular DN, and if possible, to a particular set of CA roots.
> How you can configure a client... depends a lot on the client.  Not
> all clients are as safe as others.  Old Androids are especially bad.
> 
> If you actually can install your own root on your clients, you can
> probably also use EAP-TLS without passwords.  Many people prefer
> this system to MSCHAP or TTLS.   The drawbacks are that usernames
> from the certificates will be easy to sniff out of the air (no privacy
> protection),
> and if a device is stolen, the user is unlikely to know how to revoke the
> certificate themselves, versus changing their password, which hopefully
> most of your users know how to do.
> 
> The second best way to do this is with a public CA.  In this case to be
> safe you need your clients to configure to only trust certificates ending
> in a domain name for which no responsible CA will issue certificates to
> anyone but you.  This puts a lot of trust in the public CA system, and it
> is very hard to get users to properly configure their devices.  You also
> have to pay attention to when the public CA roots expire and which
> clients have which public CA roots in their default operating store.
> The advantage to this system is it is possible to set up a client securely
> entirely by hand if you know what you are doing... there is no need
> to download and install extra configuration profiles (except on OSX and iOS
> because they took away the options to secure things by hand a couple
> of years ago).  The problem, of course, is that most users do not know
> what they are doing and they will just type in their password when asked
> and the client will not have the correct settings.
> 
> 
> 
> --
> BEGIN-ANTISPAM-VOTING-LINKS
> ------------------------------------------------------
> 
> NOTE: This message was trained as non-spam.  If this is wrong,
> please correct the training as soon as possible.
> 
> Teach CanIt if this mail (ID 01XTq3TXw) is spam:
> Spam:
> https://antispam.rnp.br/canit/b.php?c=s&i=01XTq3TXw&m=39922a0b9c33&rlm=base&t=20190402
> Não spam:
> https://antispam.rnp.br/canit/b.php?c=n&i=01XTq3TXw&m=39922a0b9c33&rlm=base&t=20190402
> Esquecer voto:
> https://antispam.rnp.br/canit/b.php?c=f&i=01XTq3TXw&m=39922a0b9c33&rlm=base&t=20190402
> 
> (Corpo do link de treinamento em texto-puro)
> ------------------------------------------------------
> END-ANTISPAM-VOTING-LINKS

More information about the Freeradius-Users mailing list