Logging config to get certificate details

Jim Potter j.potter at bathspa.ac.uk
Mon Mar 25 10:29:19 CET 2019 

Hi Alan,

OK, thanks for the advice here. Historically, everyone has set up their
devices manually, and I have a suspicion that some have been told to ignore
the certificate, so if I do set up a rogue access point, this WILL catch
anyone with this configured, correct?

cheers,

Jim

On Mon, 25 Mar 2019 at 09:15, Alan DeKok <aland at deployingradius.com> wrote:

> On Mar 25, 2019, at 5:06 AM, Jim Potter <j.potter at bathspa.ac.uk> wrote:
> > So doesn't the client return a PEAP request containing the MSCHAPv2
> request
> > encrypted using the server certificate?
>
>   No.
>
>   PEAP essentially sets up a TLS connection between the two endpoints.  It
> then sends MS-CHAPv2 data inside of the TLS tunnel.
>
>   The MS-CHAPv2 is protected via the TLS protocol.  It is *not* "encrypted
> using the server certificate".
>
> > My hope was that if a client device
> > wasn't using a cert at all,
>
>   The client device gets the server cert sent to it by the server, as part
> of the TLS exchange.  The client device is free to *ignore* this server
> certificate.
>
> > I could see the format of the reply or
> > something similar... but then if the clients are using whatever cert is
> > sent out, but not validating it, that wouldn't show up.
>
>   Yes.
>
> > OK, so, plan B - if I set up a rogue access point (FreeRadius WPE or
> > similar with a self signed certificate), I could see who connects
> > regardless of the dubious cert, then chase them up. Would that work?
>
>   People will connect if they configure it manually.  Which most won't.
>
>   There really isn't any point in doing this.  You won't get any useful
> information from it.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
thanks,

Jim Potter
User Platform Engineer
IT Services
Bath Spa University

T: 01225 876220
Visit www.bathspa.ac.uk
Join us on: Facebook <http://www.facebook.com/bath.spa.university>| Twitter
<https://twitter.com/#!/BathSpaUni>| YouTube
<http://www.youtube.com/BathSpaUniversity>| LinkedIn
<http://www.linkedin.com/company/bath-spa-university>
Newton Park, Bath, BA2 9BN

Think before you print

Disclaimer
If you have received this message in error, please notify us and remove it
from your system. Any views or opinions expressed in personal emails are
solely those of the author and do not necessarily represent those of Bath
Spa University. Neither Bath Spa University nor the sender accepts any
responsibility for viruses and it is your responsibility to scan this email
and any attachments for viruses.

More information about the Freeradius-Users mailing list