What is more secure: EAP-PEAP, EAP-TLS or EAP-TTLS?

Denis Mirassou (UT3/DSI) denis.mirassou at univ-tlse3.fr
Tue Aug 21 09:01:38 CEST 2018 

Hi Elias,

If your concern is about to authenticate devices (smartphones) and not 
users for sure (think of stolen phones), Client certificates should do 
the job.
EAP-TLS seems to be suitable and is ready to use with a FreeRadius Fresh 
install as I know (I don't use).

Note for EAP-TTLS:
You should not use PAP under TTLS as a Radius admin can see users 
passwords in debug mode (and even log them).
I prefer challenges based methods (eg. MSCHAPv2) for user interactive auths.

Regards,

Denis.




------------------------------------------------
Hello Adam, thanks for the answer!! :)

At first our freeradius server will be configured for authentication of
smartphones from our wifi network. My intent is to try and configure each
client to have their own certificate for the connection.

Scenario 1 (in tests)
I already have a scenario with EAP-PEAP where the client downloads the CA,
installs it on his smartphone and connects, but as we know, if he does not
select the CA at the time of connection, he will still be able to connect.
In this way we are in the hands of the user's "willingness" to use the CA,
even informing the danger of not using the CA.

Scenario 2 (intended)
As mentioned above, I would like a scenario where the client had its own
certificate and the radius server verified this certificate in
authentication. If it is signed by the CA of the server, it authenticates,
otherwise, not.

For scenario 2, what is the best method?

-- 
Elias Pereira


On Mon, Aug 20, 2018 at 7:44 AM Adam Bishop <Adam.Bishop at jisc.ac.uk> 
wrote:

 > On 20 Aug 2018, at 04:37, Elias Pereira <empbilly at gmail.com> wrote:
 > > Starting from a scenario with 3 servers, where all 3 methods are 
properly
 > > configured, what would be the safest method?
 >
 > Your question is a little too vague - all three methods can be equally
 > secure over the wire. They're all TLS-based and all support client certs.
 >
 > It's the details of the configuration that differentiate them - so 
how are
 > you planning on configuring your clients?
 >
 > Adam Bishop
 >
 >   gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460
 >
 > jisc.ac.uk
 >
 > Jisc is a registered charity (number 1149740) and a company limited by
 > guarantee which is registered in England under Company No. 5747339, 
VAT No.
 > GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
 > Bristol, BS2 0JA. T 0203 697 5800.
 >
 > Jisc Services Limited is a wholly owned Jisc subsidiary and a company
 > limited by guarantee which is registered in England under company number
 > 2881024, VAT number GB 197 0632 86. The registered office is: One Castle
 > Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
 >
 >
 > -
 > List info/subscribe/unsubscribe? See
 > http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list