SASL binds - Rambling...

Matthew Newton mcn4 at leicester.ac.uk
Tue Feb 24 15:09:35 CET 2015


On Tue, Feb 24, 2015 at 01:43:47PM +0000, Phil Mayers wrote:
> On 24/02/15 13:02, Matthew Newton wrote:
> 
> >Push towards EAP-TTLS/PAP? More clients are supporting it (Windows
> >7 the only major exception), and *much* more flexible on the
> >RADIUS side.
> 
> I'm not sure how that helps.

Well with EAP-TTLS/PAP, the RADIUS server gets the plaintext
password from the client, so can do whatever backend auth
mechanism it likes...

I'm not thinking about security concerns handling plain passwords;
we can be as protective about the RADIUS server as the Windows
guys can be about their DCs, and the NTLM hash is nearly as good
as plaintext anyway, hence the reason they may want to kill it
off.

> IMO, ensuring (as opposed to attempting) proper client setup is just
> too hard for PKIX-based systems in large organisations unless you
> spend a lot of money on a supplicant deployment tool. This sucks,
> and the supplicant/OS vendors need to get their shit together and
> fix cross-platform provisioning.

Agreed. EAP-TLS would be a lot nicer, but requires a lot more
effort for on-boarding. We have enough complaints about the client
setup processes as it is (and they really aren't that hard).

> Basically, the state of EAP methods and provisioning sucks. It's a

It's the usual story with something "extensible". You end up
having to run the lowest common denominator, which is probably
tantamount to crap. SSL and crypto algorithms, anyone?

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Devel mailing list