debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails

Matthew Newton mcn4 at leicester.ac.uk
Thu Aug 22 00:45:11 CEST 2013


On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
> well looking at man wpa_supplicant I can see
> 
> EAP-PEAP/TLS

I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what
it's talking about.


> also from my google searches it might be possible that windows supports
> PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get

Yes

> There is a concern in our organization with security of PEAP/MSCHAPV2 over Eduroam
> because we don't really trust supplicants in windows, macs and various phones
> to do the right thing (windows phone doesn't check the radius certificate for
> example).

If that's all you're doing, forget about PEAP and just go for
straight EAP-TLS. All PEAP really gives you on top is the SoH
support, and may cause problems with other non-Windows clients.
EAP-TLS should work on more devices.

Some devices you'll be stuck with PEAP/MSCHAPv2 though (or
TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't
do EAP-TLS.

You do realise that EAP-TLS is certificate based, not
user/password? So you need a full certificate management system to
go with it as well to issue certs to your users. You can't get
user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still
certificate (machine auth) only.

My advice would be to stick with PEAP/EAP-MSCHAPv2 and use
deployment tools to get the devices configured correctly.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list