> "Most supplicants". So there's a chance that a supplicant might not do > so?
Yes. It's implementation-specific. The Win XP built-in supplicant for example does not do it. > Is the Identity in the EAP-Message in the first packet always the > same as the User-name i see in all packets? Yes, that's what the RFC demands. > I'm searching through my dell wireless wlan card utility and i'm pretty sure > i can't hide it. Are dell breaking any rfcs or other standards that i can > take them up on? No. It's optional. If Dell doesn't do it, bad luck. But you can always install a supplicant that does it, for example at www.securew2.com (very nice supplicant, IMO). > This is quite worrying for me as it seems to make the setup quite > insecure instead of making it more secure as i had originally hoped. > Perhaps a shared key and a captive portal would provide better security. > I understand the weakness, but i dont see that it would be weaker than a > shared key alone and has the advantage of not allowing the username to > be read by any arbitrary person. Uh. You should consider that you will have _no_ link-layer encryption when using captive portals. And connections can be hijacked. And with a shared key, you have no accountability. And the shared key will flow over the net unencrypted, so anyone can pick it up and abuse your network. OTOH, what's so secret about a user name? User names are the _public_ parts of credentials, it's the passwords that are critical. If you really don't want usernames to be important at all, use EAP-TLS. The client certificate will identify you, no matter what garbage you put into the user name. Captive portals are a step back with regards to security. Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
pgpuGNzTxR9ms.pgp
Description: PGP signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
