Hello all, I apologize for the "spam" but I thought that you would be able to give me a couple of pointers on the following. I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general). There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers? Thanks a lot, Panos
On 20/11/12 12:53, Panagiotis Georgopoulos wrote:
Hello all,
I apologize for the “spam” but I thought that you would be able to give me a couple of pointers on the following.
I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general).
There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers?
We support the following: EAP-PEAP/MSCHAP EAP-TTLS/PAP EAP-TTLS/MSCHAP EAP-TLS ...and 99.9% of our auth is EAP-PEAP/MSCHAP. So, I would have to say that PEAP/MSCHAP is the most common, and my understanding of other sites suggests the same.
Panagiotis Georgopoulos wrote:
I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general).
That's hard. It requires organizations to tell people what they're doing. Most organizations won't say this.
There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers?
The best source of these stats is probably the eduroam proxies. However, that information is hard to get. Alan DeKok.
Panagiotis Georgopoulos wrote:
I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general).
That's hard. It requires organizations to tell people what they're doing. Most organizations won't say this.
Yeap, I understand this but telling people that you are doing EAP-TLS, or EAP-TTLS, or PEAP, or whatever does not really expose your network. Many companies have this information on the web already in "how-to-connect-to-our-wifi" guides. It seems strange to me that there is no survey with collective statistics about this anywhere.
There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers?
The best source of these stats is probably the eduroam proxies. However, that information is hard to get.
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? Thanks, Panos
Hi,
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help?
In eduroam, every identity provider makes the choice of EAP type all on their own. I.e. we do not have a central register of who uses which EAP type. Of course these things can be found out; if by no other means by sniffing the first bytes of EAP conversations on proxies to see which EAP type was negotiated. But seriously: what's the point? There are a number of EAP methods which satisfy the IETF requirements for "good" EAP types in RFC4017. So long as you stay in the "good" set - pick whatever fits your local situation best; some have advantages in certain situations, others don't. There is no definitive answer which EAP type is "best", so you'll have to sit down and find out your own needs yourself. And if you just want statistics for statistics' sake... sorry, that kind of information is so hard to get hold of, I'm reasonably confident that it won't be done unless there's a real use case for it. That said, we might get information of that kind as a by-product of a configuration assistant tool which identity providers may use to make their lives easier, and then maybe we could generate numbers from that. Don't hold your breath though. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Hello Stefan, Thanks for your reply.
Subject: Re: Statistics on EAP methods widely used
Hi,
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help?
In eduroam, every identity provider makes the choice of EAP type all on their own. I.e. we do not have a central register of who uses which EAP type.
Of course these things can be found out; if by no other means by sniffing the first bytes of EAP conversations on proxies to see which EAP type was negotiated. But seriously: what's the point?
I understand your view here and I don't disagree. My point is to firstly see which of them are being used in practice and then try to identify why. In certain instances some of them are more convenient/secure/etc than others, but when you know their popularity you can start thinking of other questions such as why would you need to configure both PEAP and EAP-TTLS for example. If providers are doing so there must be a reason and this is what I wanted to see.
From another point of view, I keep reading about "x being the most widely deployed" or "z being the most commonly used" but no one backs up their claim. That's why I thought to ask...
There is no definitive answer which EAP type is "best", so you'll have to sit down and find out your own needs yourself.
I didn't want to find which one is the "best", because as you say this is in relation to the requirements of the scenario. I more wanted to see what do providers eventually support and what prevails in the real world (vs theory). Thanks for your reply, Panos
Hi,
I understand your view here and I don't disagree. My point is to firstly see which of them are being used in practice and then try to identify why. In certain instances some of them are more convenient/secure/etc than others, but when you know their popularity you can start thinking of other questions such as why would you need to configure both PEAP and EAP-TTLS for example. If providers are doing so there must be a reason and this is what I wanted to see.
answers 1) the usage figures are known by sites who tell - they always show PEAP being the most favoured 2) backend authentication method 3) PEAP is most convenient... with correct deployment they are all as secure as each other 4) because you can. we support PEAP/EAP-TTLS/EAP-TLS/EAP-PWD because our authentication system works with them all and it means that we can offer the widest range of authentication methods to clients - especially of interest to the mobile space where , for example, Apple could suddenly decide not to support PEAP anymore.... we've got EAP-TTLS there.
From another point of view, I keep reading about "x being the most widely deployed" or "z being the most commonly used" but no one backs up their claim. That's why I thought to ask...
there is knowledge and a very large historical tract of 802.1X space.
the requirements of the scenario. I more wanted to see what do providers eventually support and what prevails in the real world (vs theory).
..and what would happen if the only vocal people who provided you with data were all using EAP-TLS or EAP-FAST, you would get a very distorted view of whats going on in the real world. that is the problem with such surveys or questions... alan
Hello Alan, Thanks for your reply,
I understand your view here and I don't disagree. My point is to firstly see which of them are being used in practice and then try to identify why. In certain instances some of them are more convenient/secure/etc than others, but when you know their popularity you can start thinking of other questions such as why would you need to configure both PEAP and EAP-TTLS for example. If providers are doing so there must be a reason and this is what I wanted to see.
answers
1) the usage figures are known by sites who tell - they always show PEAP being the most favoured
I didn't know that, and some articles I read didn't favour PEAP that much. Good to learn.
2) backend authentication method
3) PEAP is most convenient... with correct deployment they are all as
secure
as each other
I would imagine that from the backend's perspective deploying PEAP and EAP-TTLS is similar right? When you mention here convenient you mean in terms of the clients that support it out of the box?
4) because you can. we support PEAP/EAP-TTLS/EAP-TLS/EAP-PWD because our authentication system works with them all and it means that we can offer
the
widest range of authentication methods to clients - especially of interest to the mobile space where , for example, Apple could suddenly decide not to support PEAP anymore.... we've got EAP-TTLS there.
So being more inclusive and supporting more devices out of the box is a reason for supporting more than one EAP method on the server. is knowledge and a very large historical tract of 802.1X space.
the requirements of the scenario. I more wanted to see what do providers eventually support and what prevails in the real world (vs theory).
..and what would happen if the only vocal people who provided you with data were all using EAP-TLS or EAP-FAST, you would get a very distorted view of whats going on in the real world. that is the problem with such surveys or questions...
Nothing would happen! I asked to see if people have pointers or would be willing to share their stats/numbers as there is nothing as such online. Thanks for your reply, Panos
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help?
On our side we support eap-peap/mschapv2 and eap-ttls/mschapv2. We're providing documentation and configuration tool for the peap method. Statistics reports 60% of peap against 40% of ttls. Total number of eduroam users live is approx 800 Olivier B. -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
Hi Olivier,
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could
they help?
On our side we support eap-peap/mschapv2 and eap-ttls/mschapv2. We're providing documentation and configuration tool for the peap method.
Statistics reports 60% of peap against 40% of ttls.
Total number of eduroam users live is approx 800
Thanks very much, Panos
Hi, ...as I write this, we have 3856 clients using the wireless, 3828 are using PEAP 26 are using EAP-TTLS 2 are using EAP-TLS of course, if those 26 were very mobile across the UK then the national proxies might think we had far more EAP-TTLS users than PEAP users ALL are using WPA2/AES (for me, that is far more important as a statistic! ) ....but our values lie nicely in the 99% of clients are using PEAP that was already mentioned alan
On 20/11/12 14:19, Panagiotis Georgopoulos wrote:
Yeap, I understand this but telling people that you are doing EAP-TLS, or EAP-TTLS, or PEAP, or whatever does not really expose your network. Many companies have this information on the web already in "how-to-connect-to-our-wifi" guides. It seems strange to me that there is no survey with collective statistics about this anywhere.
Why are you telling us that? We know. We agree. The point is that lots of *other* people don't. Alan is not saying this is sensible; he's saying it *is the case*.
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help?
As Stefan has said, it's a lot of work, and you'll need to justify it. However, in the spirit of being helpful - our ORPS stats for the last 4 hours, excluding our own users, show the following EAP types (in hex): 91 0d 501 03 4848 15 7540 01 35801 19 So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS.
Hi Phil,
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help?
As Stefan has said, it's a lot of work, and you'll need to justify it.
However, in the spirit of being helpful - our ORPS stats for the last 4 hours, excluding our own users, show the following EAP types (in hex):
91 0d 501 03 4848 15 7540 01 35801 19
So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS.
Thanks a lot for this specific results. Essentially you are proving my point :-) At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why). Thanks again, Panos
Hi,
At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4
bzzzzt! thats where you are wrong ;-) you've got to take into account what the packet counts are measuring and whether these are unique clients. all it takes is a chatty couple of clients and your stats are skewed...for example, a client using EAP-TTLS that is continually reauthing will change the balance ..and EAP-TTLS takes a couple more packets to contruct the tunnel so will therefore have higher packet presence. we can , for example, see what methods sites use for their monitoring of service but that isnt indicative of all the methods that they use....and locally they might use some other method for their local 802.1X - eg EAP-TLS eg 102 organisation use a PEAP test account, 10 organisations use EAP-TTLS (with various inner types)..... I guess the real questin is WHY are you asking this - for a comp sci research project or for eg local administrative work? alan
Panagiotis Georgopoulos wrote:
At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why).
If you're going to call us liars, then you can go find your own mailing list. This list isn't the place to do research. The people here are answering your questions out of the kindness of their hearts. It's not nice to call them liars. If you care enough about the numbers, you will go do your own work. Then, everyone here can question your methods and tell you you're doing it wrong. Alan DeKok.
Panagiotis Georgopoulos wrote:
At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why).
If you're going to call us liars, then you can go find your own mailing list.
When did I ever call someone a liar?
This list isn't the place to do research. The people here are answering your questions out of the kindness of their hearts. It's not nice to call them liars.
It is because of the kindness of the people that I decided to ask. I didn't call anyone a liar. I am trying to have a discussion with people that would be willing to share some real results or give me some pointers because there is nothing as such online. Panos
Panagiotis Georgopoulos wrote:
When did I ever call someone a liar?
At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours).
I am trying to have a discussion with people that would be willing to share some real results or give me some pointers because there is nothing as such online.
Sure. You need to understand the statistics that come back before disagreeing with them. Alan DeKok.
On 20/11/12 17:50, Panagiotis Georgopoulos wrote:
91 0d 501 03 4848 15 7540 01 35801 19
So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS.
Thanks a lot for this specific results. Essentially you are proving my point :-)
At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why).
Sorry, but you're misunderstanding the stats, or reading too much into them. These are EAP types from EAP *packets*, not sessions. And, as I said, it excludes our *own* users (i.e. it's just visitors) which removed several hundred thousand PEAP packets from the count. EAP-Identity doesn't count as an auth type; there is one EAP packet for every session, at the start. If you exclude the Identity packets (type 1) and NAK packets (type 3) you have: 91 0d 4848 15 35801 19 This is 87% PEAP. However, this is still *packets*. It takes no account of sessions, of the client re-auth times, TLS session resumption, and so forth, and is still just for visitors. I'm afraid I don't have time to do more detailed processing. But really, you would want to "unique" any stats by client (Calling-Station-Id) and EAP-type, and measure "EAP type client days" or something.
Hi Phil, Thanks for your reply.
Sorry, but you're misunderstanding the stats, or reading too much into them.
These are EAP types from EAP *packets*, not sessions. And, as I said, it excludes our *own* users (i.e. it's just visitors) which removed several hundred thousand PEAP packets from the count.
EAP-Identity doesn't count as an auth type; there is one EAP packet for every session, at the start.
If you exclude the Identity packets (type 1) and NAK packets (type 3) you have:
91 0d 4848 15 35801 19
This is 87% PEAP. However, this is still *packets*. It takes no account of sessions, of the client re-auth times, TLS session resumption, and so forth, and is still just for visitors.
You are right Phil, I didn't get that these were counters for packets. My comment was merely on the fact that I am unable to find some related statistics and that people mention online their "feeling" about deployed/used EAP methods but there is no such survey/analysis available.
I'm afraid I don't have time to do more detailed processing. But really, you would want to "unique" any stats by client (Calling-Station-Id) and EAP-type, and measure "EAP type client days" or something.
Fair enough, thanks a lot for the insight, Panos
Hi,
information on the web already in "how-to-connect-to-our-wifi" guides. It seems strange to me that there is no survey with collective statistics about this anywhere.
its because noone cared....and therefore our systems arent collecting such information. we *could* survey our federation....but, to be honest, I think some of them are getting sick of being surveyed about this and that almost every few months.
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help?
...what would the end result be? is there a reason for wanting to know exact percentages of each good EAP method? EAP-TLS is fairly rare due to the PKI required...though with centralised systems such as eduroamJP project that may change... PEAP is most common... EAP-TTLS next so (though what method is used in EAP-TTLS inner is another thing altogether!) - then there are the hens teeth - EAP-FASTv1, EAP-PWD and PEAPv1-GTC alan
participants (6)
-
alan buxey -
Alan DeKok -
Olivier Beytrison -
Panagiotis Georgopoulos -
Phil Mayers -
Stefan Winter