debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Matthew Newton
mcn4 at leicester.ac.uk
Thu Aug 22 00:45:11 CEST 2013
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
> well looking at man wpa_supplicant I can see
>
> EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what
it's talking about.
> also from my google searches it might be possible that windows supports
> PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get
Yes
> There is a concern in our organization with security of PEAP/MSCHAPV2 over Eduroam
> because we don't really trust supplicants in windows, macs and various phones
> to do the right thing (windows phone doesn't check the radius certificate for
> example).
If that's all you're doing, forget about PEAP and just go for
straight EAP-TLS. All PEAP really gives you on top is the SoH
support, and may cause problems with other non-Windows clients.
EAP-TLS should work on more devices.
Some devices you'll be stuck with PEAP/MSCHAPv2 though (or
TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't
do EAP-TLS.
You do realise that EAP-TLS is certificate based, not
user/password? So you need a full certificate management system to
go with it as well to issue certs to your users. You can't get
user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still
certificate (machine auth) only.
My advice would be to stick with PEAP/EAP-MSCHAPv2 and use
deployment tools to get the devices configured correctly.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list