eap type for Windows client authentication without certificate

Martin Pauly pauly at hrz.uni-marburg.de
Fri Sep 13 10:05:48 CEST 2019

Am 13.09.19 um 05:27 schrieb Tal Nur via Freeradius-Users:

> I think I'm asking simple question.I installed FR 3.0.19 for eduroam 
> and I used configuration files from eduroam.org. I noticed that my 
> Windows clients must install CA certificate to successfully log
> in.My question is what type our EAP I should to use to allow them be 
> authenticated without certificate?

Why would you want work without a CA cert on the client?  The whole idea
of 802.1X is about building an SSL/TLS tunnel WITH authentication first.
Only then, sensitive data  such as passwords, keys, MS-CHAPv2 data etc.
is transmittted, protected by the tunnel.
The CA sytem makes verifying a peer's identity manageable:
You just need some 450+ CA certs in your store to be able to
verify any server cert in the world (provided the cA in question
has not been compomised). All the mainstream client OSs have
these on board, and manufactureres update the collection along
with the regular OS updates. If yours is missing, adding it to
the trusted root certs is easy (manually, or by calling e.g. certutil).

If your client does not verify the peer's cert, but blindly accepts it,
you're all lost: An attacker can claim to be eduroam. Clients that don't
verify the cert accept the false server's public key and build
an SSL tunnel, but a bad one. The client transmits its credentials
encryptedly and exclusively to the attacking server! This is known
as the "Evil Twin" attack and has been explained here
and elsewhere a hundred times.

Windows clients are a bit special, though. With MS-CHAP, Microsoft, had attempted
to create a Challenge-Response protocol that could do strong mutual auth
without certs. That was back in the 1990eis when SSL/TLS was not
yet established. While this is entirely possible, MS never got it right.
The protocol survived and became a standard as MS-CHAPv2,
but soon was proven to be insecure. So it needs a good tunnel
WITH authentication to protect it, just as a plaintext password would.

In the mean time, there IS a protocol like that called EAP-PWD and
supported by FR, but I do not know of any Windows implementation.

If you want to set up eduroam for a big number of BYOD devices,
put your data including CA cert on cat.eduroam.org and have
users use that. It will work for ~90% of devices.

Sorry if I seem obsessed with Evil Twin, but "Encrypt without Auth"
seems to be one of the major security fallacies of our time.
(meraki.cisco.com told you to do so until recently, dozens of universities do,
and the old GSM phone network does not even have a protocol in SS7 element to
verify what network you're connecting to).

Cheers, Martin

   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5393 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190913/dbfe3fff/attachment-0001.bin>

More information about the Freeradius-Users mailing list