What is more secure: EAP-PEAP, EAP-TLS or EAP-TTLS?

[Elias Pereira]

Thanks Denis!!! :)

Verify this rule with Radius logs: One certificate/One MAC (no
> certificate share with numerous devices)


But the certificate is not per user? How would that look if it had a
smartphone and a noteboot?

Use a Mobile Device Management


Do you have an example of this?

On Fri, Aug 24, 2018 at 9:13 AM Denis Mirassou (UT3/DSI) <
denis.mirassou at univ-tlse3.fr> wrote:

> - Tell your users to alert immediatly in case of lost/stolen phone
> - Client certificate revocation of stolen/lost phones
> - Appropriate (not too long) client certificate validity time
> - Lost phones MAC addresses blocking
> - Verify this rule with Radius logs: One certificate/One MAC (no
> certificate share with numerous devices)
> - Phones flash memories encrypted
> - Use a Mobile Device Management
> - User authentication on corporate applications once connected on wifi
> network
> ...?
>
> Denis.
>
> On 24/08/2018 13:06, Elias Pereira wrote:
> > Thanks for all clarification about the eap- * configs.
> >
> > How can I mitigate the security issue if I do not use password for
> personal
> > certificate?
> >
> >
> > On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev at jisc.ac.uk> wrote:
> >
> >> On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
> >>> If your concern is about to authenticate devices (smartphones) and not
> >>> users for sure (think of stolen phones), Client certificates should do
> >>> the job.
> >>
> >> If the private key for the client certificate is encrypted and requires
> >> a password, you can authenticate the user too and not just the device.
> >> That said, most of the time wifi passwords are stored in the phone and
> >> not required to connect.
> >>
> >> Nik
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >
> >
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Elias Pereira