On 12 Sep 2011, at 16:41, Bruce Nunn wrote: > If the network your APs are on is physically secure, and you don't need > accounting for individual APs, you can use netmasks to define clients in the > clients.conf file. >
Why would using a shared, shared secrets or netmasks mess with accounting? But yes, honestly, MD5 has been broken for some time, the only reason to use individual shared secrets is if you're still running something like PAP for Terminal login to the Access Point itself. Using a shared, shared secret does reduce the security of the protocol and increase the probability that the secret could be obtained... and of course if you've got one you've got them all. But if you're just running EAP with a TLS layer, then the only thing it buys you is DDOS protection, and request/response Integrity and thats only useful if the attacker is in a position to play MITM, or flood your server with requests... -Arran Arran Cudbard-Bell [email protected] RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
