>>>> Actually the existing certificates in the certs subdirectory could >>>> be >> deleted but the authentification would work? >> >>> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, >>> then >> you don't need certificates. >> >> But it would work with the standard certificates given in the certs >> subdirectory. There is no security improveness by creating new >> certificates
> Yes, there is. > Once the TLS tunnel is established, the traffic inside it will be encrypted. > Anyone sniffing traffic it the middle will be unable to decode it. So at > minimum, it helps prevents user/password sniffing. > The difference might not be obvious with PEAP-MSCHAPv2 vs plain MSCHAPv2, but > it's VERY significant when comparing PAP vs TTLS-PAP or PEAP-GTC. >> and using them for PEAP-EAP-MSCHAPv2 when you don't check them. >> ... and that's why the recommendation is to CHECK them, and to successfully >> do that you usually need to have every client import the CA used to sign the >> server certs. But a TLS tunnel can be established with the standard certificates given in the certs subdirectory. Creating new certificates is only a security improveness when checking them? Is there any security improveness of creating new certificates and don't checking them? Best Regards Sebastian Heinrich Techn. DV Aluminium Oxid Stade GmbH Johann-Rathje-Köser-Straße 21683 Stade email [email protected] web http://www.aos-stade.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
