Alan DeKok wrote: > John Dennis wrote: >> On 08/03/2010 01:30 PM, Alan DeKok wrote: >>> Using a known root CA for RADIUS authentication isn't really >>> recommended. >> Why? >> >> P.S. just to clarify, it's not "using a known root CA for >> RADIUS authentication", rather it's using a server cert signed by a >> known root CA. > > Sure. > > It's because *anyone* can set up an AP, and a RADIUS server that your > PC will accept. If the AP has the same SSID as (say) your work, it will > happily send your work username && login via EAP to the rogue AP.
The level of risk here varies depending on the EAP method. If you are using EAP-TLS, the server only gets a copy of the certificate so there is no risk of him stealing your credentials. With EAP-PEAP/MSCHAPv2 I believe the attacker can get enough information to perform a dictionary attack against your password which depending on it's strength may or may not be a problem (I'm not certain about this one if somebody else wants to chime in). And then there is EAP-TTLS where the rogue server will end up with a cleartext copy of the username and password if the user can be tricked into accepting the servers certificate. > The various EAP methods *should* have tied usernames (i.e. domains) to > a field in the certificate. e.g. a cert with CN "[email protected]" > should be sent logins for "[email protected]", but NEVER sent logins for > "[email protected]" > > You should ONLY send your login credentials when you *know* who it is > on the other end of the EAP conversation. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ----------------------------------------------------------------- | David Mitchell ([email protected]) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
