SASL binds - Rambling...

Phil Mayers p.mayers at imperial.ac.uk
Tue Feb 24 14:43:47 CET 2015


On 24/02/15 13:02, Matthew Newton wrote:

> Push towards EAP-TTLS/PAP? More clients are supporting it (Windows
> 7 the only major exception), and *much* more flexible on the
> RADIUS side.

I'm not sure how that helps. MSCHAP is already embedded inside TLS for 
PEAP, so any concerns about MSCHAP imply concerns about PEAP, most 
likely the difficulty of ensuring proper CA trust settings on clients 
(cough, Android, cough).

IMO, ensuring (as opposed to attempting) proper client setup is just too 
hard for PKIX-based systems in large organisations unless you spend a 
lot of money on a supplicant deployment tool. This sucks, and the 
supplicant/OS vendors need to get their shit together and fix 
cross-platform provisioning.

I really wish EAP-PWD had identity privacy... and maybe a more mature 
cryptanalysis ;o)

Basically, the state of EAP methods and provisioning sucks. It's a 
classic IT industry outcome, get 90% of the way there and stop, 
distracted, by the new shiny, leaving the ops community holding the bag!

TEAP support? <crickets>


More information about the Freeradius-Devel mailing list