Alan Buxey wrote:
> well, looking at it from the wireless side, I'd say its the right place
> as such a method is more common than MD5 (peap and ttls are more prevalent)
> and TTLS is the first supported method in eg 802.11u/HS2.0/passpoint - so
> is more likely to be the choice of clients asking for EAP.
You can over-ride the EAP-Type for a particular client, if needed.
> well, for moonshot the right thing is to NAK what the server offers and
> go for TTLS.... thats in addition to the RADIUS side of things 8-)
That's how EAP supplicants work.
> (I'd prefer FR to be more secure out of the box.. NPS is after all... ;) )
I prefer FR to work out of the box. The defaults *should* be the
minimum which allows the server to work.
EAP-MD5 is secure for WiFi, because you can't authenticate using it.
And any correctly configured supplicant will NAK EAP-MD5, and request
something else.
There is NO SECURITY PROBLEM with using EAP-MD5 in the default
configuration.
Alan DeKok.
|