On Nov 22, 2019, at 12:14 PM, Nik Mitev <
[hidden email]> wrote:
>
> I was looking at this article about the sycophant attack
https://sensep> ost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/ and the
> success of it reportedly hangs on whether cryptobinding is enforced or
> not.
>
> On NPS it is not enforced by default, but there is a "Disconnect
> clients without cryptobinding" setting that can be enabled.
>
> Can anyone confirm what is the FR default on cryptobinding and whether
> it can be changed in configuration? If it is not enabled by default,
> can it be enabled? If it is enabled by default, can it be disabled -
> inadvertently of on purpose.
There is no standard for cryptographic binding for PEAP. If you can find one, we're happy to implement it.
There is a standard for TTLS, and FreeRADIUS enforces it by default. See:
https://tools.ietf.org/html/rfc5281#section-11.1 There is no way to disable it for TTLS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Locked
