Educause Security Discussion mailing list archives
Re: 802.1X for wired ports
From: Justin Azoff <JAzoff () UAMAIL ALBANY EDU>
Date: Thu, 17 Jun 2010 09:27:02 -0400
On Thu, Jun 17, 2010 at 08:57:37AM -0400, Mike Wiseman wrote:
When I worked on a wireless 802.1X PEAPv0 and TTLS deployment, I thought about the same thing – why can’t the radius endpoint be verified similar to TLS websites eg. via certificate path validation.
I wonder why they didn't just make it a requirement that the cert match the SSID, so instead of the SSID being MYSCHOOL it would just be wifi.myschool.edu.
It’s just not possible without the user making the decision or having his device configured in some secure way (which BTW applies to websites also). Because an intruder can buy a cert for his radius server so someone has to pick between radius.myschool.edu and gotcha-radius.myschool.edu. Mike
Well it would be between radius.myschool.edu and gotcha-radius.myschooledu.com or something.. hopefully an attacker wouldn't be able to get a valid cert under the correct domain. -- -- Justin Azoff -- Network Security & Performance Analyst
Current thread:
- 802.1X for wired ports Entwistle, Bruce (Jun 14)
- Re: 802.1X for wired ports David Gillett (Jun 15)
- Re: 802.1X for wired ports Russell Fulton (Jun 16)
- Re: 802.1X for wired ports Russell Fulton (Jun 16)
- Re: 802.1X for wired ports Mike Wiseman (Jun 17)
- Re: 802.1X for wired ports Justin Azoff (Jun 17)
- Re: 802.1X for wired ports Mike Wiseman (Jun 17)
- Re: 802.1X for wired ports David Gillett (Jun 15)
- <Possible follow-ups>
- Re: 802.1X for wired ports James R. Pardonek (Jun 17)
- Re: 802.1X for wired ports Daniel Bennett (Jun 17)
- Re: 802.1X for wired ports James R. Pardonek (Jun 17)
- Re: 802.1X for wired ports Daniel Bennett (Jun 17)