Re: iPhone 2

[Tomasz Wolniewicz <twoln@xxxxxx>]

A.L.M.Buxey@xxxxxxxxxxx wrote:
> Hi,
>
> in RADIUS you really should use a closed-loop system - eg your own CA
> to stop any possible contamination by external trusted CA systems
> and bad supplicants.
>   
I absolutely agree, but I was under the impression that in UK people 
were using SCS certificates for eduroam Radius servers.
I also heard some opinions that not not making the user to add the CA is 
really helping. I have also seen phones which had been blocked by the 
GSM operator so that you could not add a new CA.

> we let the users choose. PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2  (well, only
> 2 options, but its still a choice! ;-) )
>   
For UNIX based systems MSCHAPv2 can be a problem, of course. At my 
place, users can only change their passwords through a WEB interface. 
This generates both the MD5 hash for the UNIX systems and NT--Hash for 
MSCHAPv2 and stores them in LDAP. Some people say that one should just 
store plain-text passwords in LDAP, I am not a fan of this.

Tomasz


--
Tomasz Wolniewicz    
         twoln@xxxxxx        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576