> On Nov 24, 2015, at 3:46 , Mohamed Hamid
> <[email protected]> wrote:
>
> Been looking little deeper at EAP-PEAP and not sure if its 100% secure, there
> are many articles out there that describe its faults where password hashes
> (MS-CHAPv2) can be cracked by an attacker setting up fake AP pointing to
> rouge RADIUS server…
That is only true if the clients are not verifying the root CA that signed the
radius certificate, and if that CA is not your own.
As long as you have your own CA, sign your own radius server certificate and
have the supplicant configure to only trust that CA then PEAP is as secure as
the TLS ciphers you allow.
>
> Would be great to get your thoughts on this, I am now thinking of going with
> EAP-TLS..
>
> I know in EAP-PEAP the RADIUS server encrypts the connection using its certs
> and provides this to the server however, users being users will accept any
> old cert
That is why it should not be up to the users to configure their supplicant.
Use a GPO for that if possible or have some form of provisioning that will
configure it on demand.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
