cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Martin Pauly <pauly AT hrz.uni-marburg.de>, cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS
- Date: Fri, 21 May 2021 14:59:14 +0200
Hello,
> Just an academic question: If you had a mobile OS landscape all
> capable of EAP-PWD and only allow this in the server, would you
> be able to achieve the same level of security as with EAP-TLS?
No. It does not matter what the genuine server allows: when the client
device is communicating with an attacker, that rogue server will
conveniently *not* support EAP-pwd, simply because it wouldn't be able
to do anything useful with the EAP payload then. A good attacker would
suggest TTLS-PAP as EAP method of choice, and then maybe PEAP. If the
device accepts that, the damage is done.
The only way to prevent this from being a useful attack vector is by
configuring the *client* to exclusively talk EAP-pwd with any server it
encounters.
Which means the client needs to be actively configured. E.g. by a CAT
profile. But then: if there is a need for a CAT profiile deployment
anyway - that profile can just as well securely configure TTLS or PEAP
instead.
That makes EAP-pwd a less interesting thing than one would hope :-(
Greetings,
Stefan Winter
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, (continued)
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Roberto Flor, 05/10/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Martin Pauly, 05/10/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Stefan Paetow, 05/11/2021
- RE: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Patrick Oberli, 05/12/2021
- RE: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Thorsten Fritsch, 05/17/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Stefan Paetow, 05/18/2021
- RE: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Thorsten Fritsch, 05/17/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Martin Pauly, 05/17/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Stefan Paetow, 05/18/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Martin Pauly, 05/19/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Stefan Paetow, 05/20/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Stefan Winter, 05/21/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Martin Pauly, 05/21/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Martin Pauly, 05/19/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Stefan Paetow, 05/18/2021
- RE: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Patrick Oberli, 05/12/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Stefan Paetow, 05/11/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Martin Pauly, 05/10/2021
- Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS, Roberto Flor, 05/10/2021
Archive powered by MHonArc 2.6.19.