What is more secure: EAP-PEAP, EAP-TLS or EAP-TTLS?
Hi, Starting from a scenario with 3 servers, where all 3 methods are properly configured, what would be the safest method? -- Elias Pereira
On 20 Aug 2018, at 04:37, Elias Pereira <empbilly@gmail.com> wrote:
Starting from a scenario with 3 servers, where all 3 methods are properly configured, what would be the safest method?
Your question is a little too vague - all three methods can be equally secure over the wire. They're all TLS-based and all support client certs. It's the details of the configuration that differentiate them - so how are you planning on configuring your clients? Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Hello Adam, thanks for the answer!! :) At first our freeradius server will be configured for authentication of smartphones from our wifi network. My intent is to try and configure each client to have their own certificate for the connection. Scenario 1 (in tests) I already have a scenario with EAP-PEAP where the client downloads the CA, installs it on his smartphone and connects, but as we know, if he does not select the CA at the time of connection, he will still be able to connect. In this way we are in the hands of the user's "willingness" to use the CA, even informing the danger of not using the CA. Scenario 2 (intended) As mentioned above, I would like a scenario where the client had its own certificate and the radius server verified this certificate in authentication. If it is signed by the CA of the server, it authenticates, otherwise, not. For scenario 2, what is the best method? On Mon, Aug 20, 2018 at 7:44 AM Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On 20 Aug 2018, at 04:37, Elias Pereira <empbilly@gmail.com> wrote:
Starting from a scenario with 3 servers, where all 3 methods are properly configured, what would be the safest method?
Your question is a little too vague - all three methods can be equally secure over the wire. They're all TLS-based and all support client certs.
It's the details of the configuration that differentiate them - so how are you planning on configuring your clients?
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Elias Pereira
participants (2)
-
Adam Bishop -
Elias Pereira