Walter Reynolds <[EMAIL PROTECTED]> wrote: > I knwo this. But what prevents a user from just giving this password to > another.
Nothing. At some point, you have to admit that the only way you "know" it's a particular user is because of the password. Certs won't solve this problem, and neither will passwords. It sounds like you don't need EAP-TTLS or anything else. Instead, you need to use one-time password cards (e.g. RSA or Cryptocard). Then people can't give the password away to someone else. > Maybe i need clarification. With TLS, the user machine is checked based > on its requirement for a cert. The server is checked by its cert as well. > Does the server cert have to be signed by the same server that signed the > supplicants cert? Yes. Or, the supplicant cert has to be signed by the server cert. > And what if a public service (Verisign, Entrust.....) was used. If > a supplicant tried to connect it would have the root ca in its > keystore so no warning would be there. Yes. There are limitations to existing technology. > And what about using the built in Mac supplicant. I see no way to input > the servers cert anyway. You could input it as a new "root" certificate. > What am I missing? You're trying to solve a problem with technology that can't solve the problem. For most what you're worried about, use one-time token cards, client certificates signed by the server cert, and a self-signed server cert. It won't address all of your concerns, but then again, no existing technology will. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
