What is more secure: EAP-PEAP, EAP-TLS or EAP-TTLS?

Denis Mirassou (UT3/DSI) denis.mirassou at univ-tlse3.fr
Fri Aug 24 14:13:33 CEST 2018

- Tell your users to alert immediatly in case of lost/stolen phone
- Client certificate revocation of stolen/lost phones
- Appropriate (not too long) client certificate validity time
- Lost phones MAC addresses blocking
- Verify this rule with Radius logs: One certificate/One MAC (no 
certificate share with numerous devices)
- Phones flash memories encrypted
- Use a Mobile Device Management
- User authentication on corporate applications once connected on wifi 


On 24/08/2018 13:06, Elias Pereira wrote:
> Thanks for all clarification about the eap- * configs.
> How can I mitigate the security issue if I do not use password for personal
> certificate?
> On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev at jisc.ac.uk> wrote:
>> On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
>>> If your concern is about to authenticate devices (smartphones) and not
>>> users for sure (think of stolen phones), Client certificates should do
>>> the job.
>> If the private key for the client certificate is encrypted and requires
>> a password, you can authenticate the user too and not just the device.
>> That said, most of the time wifi passwords are stored in the phone and
>> not required to connect.
>> Nik
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list