Wireless Security
Re: EAP-TTLS Question Aug 27 2008 02:52AM
Christopher (vooduhal gmail com) (2 replies)
Re: EAP-TTLS Question Aug 27 2008 05:36PM
Joshua Wright (jwright hasborg com)
Re: EAP-TTLS Question Aug 27 2008 02:52PM
Christopher (vooduhal gmail com) (1 replies)
I seem to have answered my own question with a little testing. So
what would be the most secure way to deploy enterprise wireless
without client-side certificates?

On Tue, Aug 26, 2008 at 10:52 PM, Christopher <vooduhal (at) gmail (dot) com [email concealed]> wrote:
> I guess a follow up to my question would be does this RFC excerpt mean
> that the TTLS server cert is exchanged during phase 1 of the
> authentication, and if so, is it susceptible to the same MitM that
> PEAP is?
> As part of the TLS handshake protocol, the TTLS server will send its
> certificate along with a chain of certificates leading to the
> certificate of a trusted CA. The client will need to be configured
> with the certificate of the trusted CA in order to perform the
> authentication.
> Am I back to the wonderful user being able to accept a self signed
> cert and compromising the whole authentication transaction? Is it
> also safe to assume that the behavior is solely based on the
> supplicant?
> On Tue, Aug 26, 2008 at 6:36 PM, Christopher <vooduhal (at) gmail (dot) com [email concealed]> wrote:
>> We've been working on implementing PEAPv0/MSCHAPv2 and have decided
>> that because of the MitM possibility of the TLS piece we would like to
>> find another solution. We were considering TLS but I had a quick
>> question about TTLS. Is the authentication server certification
>> enforcement part of the client or is there a possibility of a MitM
>> against the server cert as is the case with PEAP?

[ reply ]
Re: EAP-TTLS Question Aug 28 2008 01:20PM
Joshua Wright (jwright hasborg com)


Privacy Statement
Copyright 2010, SecurityFocus