Enforcing cryptobinding
Alan DeKok
aland at deployingradius.com
Fri Nov 22 19:42:45 CET 2019
On Nov 22, 2019, at 12:14 PM, Nik Mitev <nik at mitev.co.uk> wrote:
>
> I was looking at this article about the sycophant attack https://sensep
> ost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/ and the
> success of it reportedly hangs on whether cryptobinding is enforced or
> not.
>
> On NPS it is not enforced by default, but there is a "Disconnect
> clients without cryptobinding" setting that can be enabled.
>
> Can anyone confirm what is the FR default on cryptobinding and whether
> it can be changed in configuration? If it is not enabled by default,
> can it be enabled? If it is enabled by default, can it be disabled -
> inadvertently of on purpose.
There is no standard for cryptographic binding for PEAP. If you can find one, we're happy to implement it.
There is a standard for TTLS, and FreeRADIUS enforces it by default. See:
https://tools.ietf.org/html/rfc5281#section-11.1
There is no way to disable it for TTLS.
Alan DeKok.
More information about the Freeradius-Users
mailing list