On 24/02/15 13:02, Matthew Newton wrote:
Push towards EAP-TTLS/PAP? More clients are supporting it (Windows 7 the only major exception), and *much* more flexible on the RADIUS side.
I'm not sure how that helps. MSCHAP is already embedded inside TLS for PEAP, so any concerns about MSCHAP imply concerns about PEAP, most likely the difficulty of ensuring proper CA trust settings on clients (cough, Android, cough). IMO, ensuring (as opposed to attempting) proper client setup is just too hard for PKIX-based systems in large organisations unless you spend a lot of money on a supplicant deployment tool. This sucks, and the supplicant/OS vendors need to get their shit together and fix cross-platform provisioning. I really wish EAP-PWD had identity privacy... and maybe a more mature cryptanalysis ;o) Basically, the state of EAP methods and provisioning sucks. It's a classic IT industry outcome, get 90% of the way there and stop, distracted, by the new shiny, leaving the ops community holding the bag! TEAP support? <crickets>