OS / Protocol Compatibility
Brian Julin
BJulin at clarku.edu
Fri Apr 7 22:44:16 CEST 2017
David wrote:
> Brian, I agree with you about PAP. We have multi-site organization, so
> passwords will be transmitted over WAN. Might have to explore Matthew and
> TIm's suggestions.
Save you the trouble: The cliff notes on 1-factor/built-in-supplicants are:
If it's for infrastructure admin access (switches, etc) only bad options are available.
Secure your control plane with a fail-closed IPSEC setup first. Hope you bought gateways
with good L2L VPN feature sets.
If it's for WiFi or wired EAPOL, use EAP-TLS, EAP-PEAP-MSCHAPv2, or
EAP-TTLS-something depending on your needs.
If it's for IPSEC-RA/IKEv2, don't hit the AAA servers directly from the initial IKEv2
auth phase on Windows clients... use the above protocols for an inner EAP auth and
validate the AAA cert... agilevpn does not adequately protect against downgrade
attacks by validating the IKE cert unless you do this. That means you'll want to
send Linux and OSX to a different IPSEC-RA/IKEv2 instance than Windows because
they can validate IKE certs correctly, and OSX doesn't support any good inner
auths.
More information about the Freeradius-Users
mailing list