]-----Original Message----- ]From: Hannes Tschofenig [mailto:hannes.tschofe...@gmx.net] .. ]Paul, RADIUS by itself has little to-do with device authentication ](other than carrying the packets).
Yes - RADIUS is just a wrapper, I was describing the broader system issue. The thread mentioned pervasive capture of information and RADIUS. A significant path for capture of EAP information carried in RADIUS packets is via MiTM attacks when the EAP/RADIUS information is carried in TLS. Code used for EAP/RADIUS does not always validate certificates correctly creating a path to capture the RADIUS/EAP information. ] ]Problems with EAP methods is not a problem of RADIUS. Yes ... but it is a system problem with the use of RADIUS. Paul ] ]Ciao ]Hannes ] ]On 04/08/2014 11:12 PM, Paul Lambert wrote: ]>> ]>> ]>> ]>> Either TLS or IPSEC for RADIUS will thwart pervasive monitoring. ]> Only if correctly implemented. The Wi-Fi industry has a pervasive ]> problem where the TLS certificates for the authentication servers are ]> not validated by all devices. We are putting in certificating testing ]> to encourage correct implementations, but it will take time to see a ]> significant change in products being sold. ]> ]> The lack of certificate validation compounds the vulnerability of ]> MSCHAPv2 which has been commonly used for ³enterprise" grade Wi-Fi ]deployments. ]> Some new solutions for this problem area will be available soon Š will ]> post when they are announced. ]> ]> Paul ]> ]> ]>> ]>> -- Christian Huitema ]>> ]>> ]>> ]>> ]>> _______________________________________________ ]>> perpass mailing list ]>> perpass@ietf.org ]>> https://www.ietf.org/mailman/listinfo/perpass ]> ]> _______________________________________________ ]> perpass mailing list ]> perpass@ietf.org ]> https://www.ietf.org/mailman/listinfo/perpass ]> _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass