On Fri, Jun 17, 2011 at 8:36 AM, <[email protected]> wrote: > This problem is even worse if the user is traveling at a partner's > institution and using eduroam, in that if that partner insititution's RADIUS > server has user-password logging enable, they too can see my user's > password.
That's not correct. The "partner institution" (the place your user visits) only proxies radius requests. They don't know what is inside. They don't see any passwords from your users. They would only see the password if one of your users incorrectly tries to authentication against the "partner institution" domain. But this should never happen if they set up eduroam correctly, set the correct user name including the domain name of your institution and also only accept the certificate of your radius server. If the eduroam wireless connection is set up correctly on the computer and the user uses it correctly the "partner institution" radius server will only see the outer identity and then proxies the requests back to your radius server. This requires correct settings on the user's computer and knowledge not accept certificates or radius servers which you did not configure before... Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
