On Fri, Mar 30, 2012 at 4:18 PM, Heinrich, Sebastian <[email protected]> wrote: > We don't want to install certificates on the clients, but the problem > that is given in wikipedia is that anybody can install an access point > with the same ssid and a client that would connect with it would give > him his MSCHAP encrypted username and password.
err ... no. It doesn't work that way. > How easy is it to crack > such a password? An authentification wouldn't have happened but the > attacker would have had the encrypted usernames and passwords. They won't. > problem because in my configuration that usernames and passwords are > used for the active directory. So is it only secure to connect to the AD > when checking the certificates? Or is there another possibility to make > it secure without installing certificates? It depends on how "secure" you want it to be. MSCHAPv2, even without PEAP, is already more secure than PAP. Alan said If you don't check the certs, they don't add security. I highly respect his oppinion as a radius expert, however I still think that using certificates, even when you don't check them, adds some level of security, because it makes sniffing a little harder. There's no argument, however, that the best implementation would be to use your own root CA, AND install it on clients, AND configure the client to check certificate. Phil's mail here might give you more options and information: http://www.mail-archive.com/[email protected]/msg74875.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
