On 06/17/2011 08:15 AM, Reg Emailster wrote:
Thanks Gerald for the reply.
Just to confirm, you are saying that at the partner's institution,
the user's client will set up an encrypted channel all the way back
to the client's home institution RADIUS server (determined using the
login realm), and their plain password will be passed inside this
encrypted channel?
Correct. In Eduroam, the EAP flows between a client and their home site.
The visited site is just a proxy, and only ever receives the final
per-session random crypto keys needed for WPA-Enterprise to encrypt the
wireless link.
However: a malicious visited (partner, as you call it) site or an
attacker impersonating an eduroam site could in theory try to terminate
the TTLS portion of the EAP. This is why "validate server certificate"
is so important. Be sure you instruct your clients to tick the
appropriate boxes.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
