On Tue, Feb 24, 2015 at 01:43:47PM +0000, Phil Mayers wrote:
On 24/02/15 13:02, Matthew Newton wrote:
Push towards EAP-TTLS/PAP? More clients are supporting it (Windows 7 the only major exception), and *much* more flexible on the RADIUS side.
I'm not sure how that helps.
Well with EAP-TTLS/PAP, the RADIUS server gets the plaintext password from the client, so can do whatever backend auth mechanism it likes... I'm not thinking about security concerns handling plain passwords; we can be as protective about the RADIUS server as the Windows guys can be about their DCs, and the NTLM hash is nearly as good as plaintext anyway, hence the reason they may want to kill it off.
IMO, ensuring (as opposed to attempting) proper client setup is just too hard for PKIX-based systems in large organisations unless you spend a lot of money on a supplicant deployment tool. This sucks, and the supplicant/OS vendors need to get their shit together and fix cross-platform provisioning.
Agreed. EAP-TLS would be a lot nicer, but requires a lot more effort for on-boarding. We have enough complaints about the client setup processes as it is (and they really aren't that hard).
Basically, the state of EAP methods and provisioning sucks. It's a
It's the usual story with something "extensible". You end up having to run the lowest common denominator, which is probably tantamount to crap. SSL and crypto algorithms, anyone? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>