> however, this puts the security on the client end...and they'll still > get a connection with the proper server even if they've ommitted > all the checks. this is bad generally - you need to have a way > of the server checking that these client settings are enforced. > oh well. I guess thats what locked-down desktops, corporate images, > GPO pushed settings etc are all for. not handy for supporting > the average user.
That road is painful. What we've come up so far with is supplying pre-configured supplicants (SecureW2) that bring the proper CA certificate along and set the expected CN automatically. It can even be preconfigured to auto-discard any other certificates, which doesn't give the user any opportunity to mess around. Of course, that is just pre-setting checkboxes in the supplicant. If a user *really* wants to sacrifice security for getting online cheap and easy on possible fraud networks, he can still toggle the settings manually later and shoot himself in the foot with it. For the built-in supplicant in XP/Vista: it generally sucks. There is the new "Wireless Native API" that is supposed to allow scripted auto-setups of 802.1X settings for an SSID, but we haven't tested if that's really practical. If you can find a student to code on that API, please go ahead :-) Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
