What is more secure: EAP-PEAP, EAP-TLS or EAP-TTLS?

Denis Mirassou (UT3/DSI) denis.mirassou at univ-tlse3.fr
Fri Aug 24 16:30:38 CEST 2018


Seems better to me to allocate a certificate per device.
Otherwise, how do you prevent a stolen phone from using your wifi ?

I have no personnal experience on mdm, sorry !

On 24/08/2018 15:32, Elias Pereira wrote:
> Thanks Denis!!! :)
> 
> Verify this rule with Radius logs: One certificate/One MAC (no
>> certificate share with numerous devices)
> 
> 
> But the certificate is not per user? How would that look if it had a
> smartphone and a noteboot?
> 
> Use a Mobile Device Management
> 
> 
> Do you have an example of this?
> 
> On Fri, Aug 24, 2018 at 9:13 AM Denis Mirassou (UT3/DSI) <
> denis.mirassou at univ-tlse3.fr> wrote:
> 
>> - Tell your users to alert immediatly in case of lost/stolen phone
>> - Client certificate revocation of stolen/lost phones
>> - Appropriate (not too long) client certificate validity time
>> - Lost phones MAC addresses blocking
>> - Verify this rule with Radius logs: One certificate/One MAC (no
>> certificate share with numerous devices)
>> - Phones flash memories encrypted
>> - Use a Mobile Device Management
>> - User authentication on corporate applications once connected on wifi
>> network
>> ...?
>>
>> Denis.
>>
>> On 24/08/2018 13:06, Elias Pereira wrote:
>>> Thanks for all clarification about the eap- * configs.
>>>
>>> How can I mitigate the security issue if I do not use password for
>> personal
>>> certificate?
>>>
>>>
>>> On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev at jisc.ac.uk> wrote:
>>>
>>>> On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
>>>>> If your concern is about to authenticate devices (smartphones) and not
>>>>> users for sure (think of stolen phones), Client certificates should do
>>>>> the job.
>>>>
>>>> If the private key for the client certificate is encrypted and requires
>>>> a password, you can authenticate the user too and not just the device.
>>>> That said, most of the time wifi passwords are stored in the phone and
>>>> not required to connect.
>>>>
>>>> Nik
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> 
> 
> 


More information about the Freeradius-Users mailing list