SASL binds - Rambling...
p.mayers at imperial.ac.uk
Tue Feb 24 14:43:47 CET 2015
On 24/02/15 13:02, Matthew Newton wrote:
> Push towards EAP-TTLS/PAP? More clients are supporting it (Windows
> 7 the only major exception), and *much* more flexible on the
> RADIUS side.
I'm not sure how that helps. MSCHAP is already embedded inside TLS for
PEAP, so any concerns about MSCHAP imply concerns about PEAP, most
likely the difficulty of ensuring proper CA trust settings on clients
(cough, Android, cough).
IMO, ensuring (as opposed to attempting) proper client setup is just too
hard for PKIX-based systems in large organisations unless you spend a
lot of money on a supplicant deployment tool. This sucks, and the
supplicant/OS vendors need to get their shit together and fix
I really wish EAP-PWD had identity privacy... and maybe a more mature
Basically, the state of EAP methods and provisioning sucks. It's a
classic IT industry outcome, get 90% of the way there and stop,
distracted, by the new shiny, leaving the ops community holding the bag!
TEAP support? <crickets>
More information about the Freeradius-Devel