Re: What is more secure: EAP-PEAP, EAP-TLS or EAP-TTLS?
Hi Elias, If your concern is about to authenticate devices (smartphones) and not users for sure (think of stolen phones), Client certificates should do the job. EAP-TLS seems to be suitable and is ready to use with a FreeRadius Fresh install as I know (I don't use). Note for EAP-TTLS: You should not use PAP under TTLS as a Radius admin can see users passwords in debug mode (and even log them). I prefer challenges based methods (eg. MSCHAPv2) for user interactive auths. Regards, Denis. ------------------------------------------------ Hello Adam, thanks for the answer!! :) At first our freeradius server will be configured for authentication of smartphones from our wifi network. My intent is to try and configure each client to have their own certificate for the connection. Scenario 1 (in tests) I already have a scenario with EAP-PEAP where the client downloads the CA, installs it on his smartphone and connects, but as we know, if he does not select the CA at the time of connection, he will still be able to connect. In this way we are in the hands of the user's "willingness" to use the CA, even informing the danger of not using the CA. Scenario 2 (intended) As mentioned above, I would like a scenario where the client had its own certificate and the radius server verified this certificate in authentication. If it is signed by the CA of the server, it authenticates, otherwise, not. For scenario 2, what is the best method? -- Elias Pereira On Mon, Aug 20, 2018 at 7:44 AM Adam Bishop <Adam.Bishop at jisc.ac.uk> wrote:
On 20 Aug 2018, at 04:37, Elias Pereira <empbilly at gmail.com> wrote:
Starting from a scenario with 3 servers, where all 3 methods are properly configured, what would be the safest method?
Your question is a little too vague - all three methods can be equally secure over the wire. They're all TLS-based and all support client certs.
It's the details of the configuration that differentiate them - so how are you planning on configuring your clients?
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
If your concern is about to authenticate devices (smartphones) and not users for sure (think of stolen phones), Client certificates should do the job.
If the private key for the client certificate is encrypted and requires a password, you can authenticate the user too and not just the device. That said, most of the time wifi passwords are stored in the phone and not required to connect. Nik
Thanks for all clarification about the eap- * configs. How can I mitigate the security issue if I do not use password for personal certificate? On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev@jisc.ac.uk> wrote:
On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
If your concern is about to authenticate devices (smartphones) and not users for sure (think of stolen phones), Client certificates should do the job.
If the private key for the client certificate is encrypted and requires a password, you can authenticate the user too and not just the device. That said, most of the time wifi passwords are stored in the phone and not required to connect.
Nik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Elias Pereira
- Tell your users to alert immediatly in case of lost/stolen phone - Client certificate revocation of stolen/lost phones - Appropriate (not too long) client certificate validity time - Lost phones MAC addresses blocking - Verify this rule with Radius logs: One certificate/One MAC (no certificate share with numerous devices) - Phones flash memories encrypted - Use a Mobile Device Management - User authentication on corporate applications once connected on wifi network ...? Denis. On 24/08/2018 13:06, Elias Pereira wrote:
Thanks for all clarification about the eap- * configs.
How can I mitigate the security issue if I do not use password for personal certificate?
On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev@jisc.ac.uk> wrote:
On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
If your concern is about to authenticate devices (smartphones) and not users for sure (think of stolen phones), Client certificates should do the job.
If the private key for the client certificate is encrypted and requires a password, you can authenticate the user too and not just the device. That said, most of the time wifi passwords are stored in the phone and not required to connect.
Nik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Denis!!! :) Verify this rule with Radius logs: One certificate/One MAC (no
certificate share with numerous devices)
But the certificate is not per user? How would that look if it had a smartphone and a noteboot? Use a Mobile Device Management Do you have an example of this? On Fri, Aug 24, 2018 at 9:13 AM Denis Mirassou (UT3/DSI) < denis.mirassou@univ-tlse3.fr> wrote:
- Tell your users to alert immediatly in case of lost/stolen phone - Client certificate revocation of stolen/lost phones - Appropriate (not too long) client certificate validity time - Lost phones MAC addresses blocking - Verify this rule with Radius logs: One certificate/One MAC (no certificate share with numerous devices) - Phones flash memories encrypted - Use a Mobile Device Management - User authentication on corporate applications once connected on wifi network ...?
Denis.
On 24/08/2018 13:06, Elias Pereira wrote:
Thanks for all clarification about the eap- * configs.
How can I mitigate the security issue if I do not use password for personal certificate?
On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev@jisc.ac.uk> wrote:
On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
If your concern is about to authenticate devices (smartphones) and not users for sure (think of stolen phones), Client certificates should do the job.
If the private key for the client certificate is encrypted and requires a password, you can authenticate the user too and not just the device. That said, most of the time wifi passwords are stored in the phone and not required to connect.
Nik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Elias Pereira
Seems better to me to allocate a certificate per device. Otherwise, how do you prevent a stolen phone from using your wifi ? I have no personnal experience on mdm, sorry ! On 24/08/2018 15:32, Elias Pereira wrote:
Thanks Denis!!! :)
Verify this rule with Radius logs: One certificate/One MAC (no
certificate share with numerous devices)
But the certificate is not per user? How would that look if it had a smartphone and a noteboot?
Use a Mobile Device Management
Do you have an example of this?
On Fri, Aug 24, 2018 at 9:13 AM Denis Mirassou (UT3/DSI) < denis.mirassou@univ-tlse3.fr> wrote:
- Tell your users to alert immediatly in case of lost/stolen phone - Client certificate revocation of stolen/lost phones - Appropriate (not too long) client certificate validity time - Lost phones MAC addresses blocking - Verify this rule with Radius logs: One certificate/One MAC (no certificate share with numerous devices) - Phones flash memories encrypted - Use a Mobile Device Management - User authentication on corporate applications once connected on wifi network ...?
Denis.
On 24/08/2018 13:06, Elias Pereira wrote:
Thanks for all clarification about the eap- * configs.
How can I mitigate the security issue if I do not use password for personal certificate?
On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev@jisc.ac.uk> wrote:
On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
If your concern is about to authenticate devices (smartphones) and not users for sure (think of stolen phones), Client certificates should do the job.
If the private key for the client certificate is encrypted and requires a password, you can authenticate the user too and not just the device. That said, most of the time wifi passwords are stored in the phone and not required to connect.
Nik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One other thing to consider in this is EAP-PWD. If you have a way to tell android devices apart by MAC and can change your EAP method, and if your credentials are stored with a compatible hash, it might be worth consideration. (Only Android devices can do it last time I checked). This does not use a certificate, and since Android security for EAP-PEAP is behind the curve it is a better option for those devices. You do sacrifice identity privacy (people can tell the username used by the device by sniffing OTA packets) but nobody seems to care about that when using EAP-PEAP, and it is already sacrificed under most PKI schemes used for EAP-TLS since the username is often embedded in the client cert. ________________________________________ From: Freeradius-Users <freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org> on behalf of Denis Mirassou (UT3/DSI) <denis.mirassou@univ-tlse3.fr> Sent: Friday, August 24, 2018 10:30 AM To: freeradius-users@lists.freeradius.org Subject: Re: What is more secure: EAP-PEAP, EAP-TLS or EAP-TTLS? Seems better to me to allocate a certificate per device. Otherwise, how do you prevent a stolen phone from using your wifi ? I have no personnal experience on mdm, sorry ! On 24/08/2018 15:32, Elias Pereira wrote:
Thanks Denis!!! :)
Verify this rule with Radius logs: One certificate/One MAC (no
certificate share with numerous devices)
But the certificate is not per user? How would that look if it had a smartphone and a noteboot?
Use a Mobile Device Management
Do you have an example of this?
On Fri, Aug 24, 2018 at 9:13 AM Denis Mirassou (UT3/DSI) < denis.mirassou@univ-tlse3.fr> wrote:
- Tell your users to alert immediatly in case of lost/stolen phone - Client certificate revocation of stolen/lost phones - Appropriate (not too long) client certificate validity time - Lost phones MAC addresses blocking - Verify this rule with Radius logs: One certificate/One MAC (no certificate share with numerous devices) - Phones flash memories encrypted - Use a Mobile Device Management - User authentication on corporate applications once connected on wifi network ...?
Denis.
On 24/08/2018 13:06, Elias Pereira wrote:
Thanks for all clarification about the eap- * configs.
How can I mitigate the security issue if I do not use password for personal certificate?
On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev@jisc.ac.uk> wrote:
On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
If your concern is about to authenticate devices (smartphones) and not users for sure (think of stolen phones), Client certificates should do the job.
If the private key for the client certificate is encrypted and requires a password, you can authenticate the user too and not just the device. That said, most of the time wifi passwords are stored in the phone and not required to connect.
Nik
- List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Cbjulin%40clarku.edu%7C589e21921314483cfe9d08d609ce3128%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C0%7C636707178539494994&sdata=RBg6MT%2BbiQxI6rO4fb0sO3uTtZaA4EM%2B8aooSxnZhdY%3D&reserved=0
- List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Cbjulin%40clarku.edu%7C589e21921314483cfe9d08d609ce3128%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C0%7C636707178539494994&sdata=RBg6MT%2BbiQxI6rO4fb0sO3uTtZaA4EM%2B8aooSxnZhdY%3D&reserved=0
- List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Cbjulin%40clarku.edu%7C589e21921314483cfe9d08d609ce3128%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C0%7C636707178539494994&sdata=RBg6MT%2BbiQxI6rO4fb0sO3uTtZaA4EM%2B8aooSxnZhdY%3D&reserved=0
participants (4)
-
Brian Julin -
Denis Mirassou (UT3/DSI) -
Elias Pereira -
Nik Mitev