Eduroam使用WPA2-Enterprise (802.1x)通过RADIUS服务器进行安全认证,大部分高校选择PEAP+MSCHAPv2方式。MSCHAPv2基于NT-Hash进行双向认证,服务器需存用户NT-Hash值。FreeRADIUS存储口令时,NT-Password属性用于NT-Hash计算。实验表明,无论选择何种认证方法,只要使用NT-Hash,Eduroam连接都能成功。
Eduroam中的接入认证
1. Eduroam使用的认证方式
根据Eduroam的官网文档,其安全主要表现在两个方面:
1) 用户的信息存储在其注册的本地机构服务器中,即使在其他地点登录,也要连接原机构服务器进行认证,极大地减少了用户信息的传播。
2) 使用WPA2-Entrerprise (802.1x),用RADIUS服务器建立TLS通道(通过EAP TTLS或PEAP),保证身份认证过程在通道中进行,提供端到端加密,用户信息不被泄露。
部分原始信息:
-
What technology does eduroam use?
In eduroam, communication between the access point and the user’s home institution is based on IEEE 802.1X standard; 802.1X encompasses the use of EAP, the Extensible Authentication Protocol, which allows for different authentication methods. Depending on the type of EAP method used, either a secure tunnel will be established from the user’s computer to his home institution through which the actual authentication information (username/password etc.) will be carried (EAP-TTLS or PEAP), or mutual authentication by public X.509 certificates, which is not vulnerable to eavesdropping, will be used (EAP-TLS).
https://www.eduroam.org/faqs/ -
Our network relies on PAP/CHAP, can we join eduroam securely?
While PAP passwords remain in plain text in the “inner-tunnel,” the 802.1x SSL tunnel, in either TTLS or PEAP, exists from the users’ supplicant all the way back to the home RADIUS server. All EAP authentication traffic, including the plain text password, is encrypted within the SSL tunnel which terminates on the RADIUS server itself. At that point the only users who should have access to the unencrypted traffic are local administrators/users on the RADIUS server itself. From there the transit to/from the directory service (IdP) must be secured according to local policy.
最低0.47元/天 解锁文章
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
