What is more secure: EAP-PEAP, EAP-TLS or EAP-TTLS?

Brian Julin BJulin at clarku.edu
Fri Aug 24 16:42:07 CEST 2018


One other thing to consider in this is EAP-PWD.

If you have a way to tell android devices apart by MAC and
can change your EAP method, and if your credentials are
stored with a compatible hash, it might be worth 
consideration.  (Only Android devices can do it last time I checked).

This does not use a certificate, and since Android security for
EAP-PEAP is behind the curve it is a better option for those devices.

You do sacrifice identity privacy (people can tell the username
used by the device by sniffing OTA packets) but nobody seems
to care about that when using EAP-PEAP, and it is already sacrificed
under most PKI schemes used for EAP-TLS since the username is
often embedded in the client cert.

________________________________________
From: Freeradius-Users <freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org> on behalf of Denis Mirassou (UT3/DSI) <denis.mirassou at univ-tlse3.fr>
Sent: Friday, August 24, 2018 10:30 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: What is more secure: EAP-PEAP, EAP-TLS or EAP-TTLS?

Seems better to me to allocate a certificate per device.
Otherwise, how do you prevent a stolen phone from using your wifi ?

I have no personnal experience on mdm, sorry !

On 24/08/2018 15:32, Elias Pereira wrote:
> Thanks Denis!!! :)
>
> Verify this rule with Radius logs: One certificate/One MAC (no
>> certificate share with numerous devices)
>
>
> But the certificate is not per user? How would that look if it had a
> smartphone and a noteboot?
>
> Use a Mobile Device Management
>
>
> Do you have an example of this?
>
> On Fri, Aug 24, 2018 at 9:13 AM Denis Mirassou (UT3/DSI) <
> denis.mirassou at univ-tlse3.fr> wrote:
>
>> - Tell your users to alert immediatly in case of lost/stolen phone
>> - Client certificate revocation of stolen/lost phones
>> - Appropriate (not too long) client certificate validity time
>> - Lost phones MAC addresses blocking
>> - Verify this rule with Radius logs: One certificate/One MAC (no
>> certificate share with numerous devices)
>> - Phones flash memories encrypted
>> - Use a Mobile Device Management
>> - User authentication on corporate applications once connected on wifi
>> network
>> ...?
>>
>> Denis.
>>
>> On 24/08/2018 13:06, Elias Pereira wrote:
>>> Thanks for all clarification about the eap- * configs.
>>>
>>> How can I mitigate the security issue if I do not use password for
>> personal
>>> certificate?
>>>
>>>
>>> On Tue, Aug 21, 2018 at 5:04 AM Nik Mitev <nik.mitev at jisc.ac.uk> wrote:
>>>
>>>> On 21/08/18 08:01, Denis Mirassou (UT3/DSI) wrote:
>>>>> If your concern is about to authenticate devices (smartphones) and not
>>>>> users for sure (think of stolen phones), Client certificates should do
>>>>> the job.
>>>>
>>>> If the private key for the client certificate is encrypted and requires
>>>> a password, you can authenticate the user too and not just the device.
>>>> That said, most of the time wifi passwords are stored in the phone and
>>>> not required to connect.
>>>>
>>>> Nik
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Cbjulin%40clarku.edu%7C589e21921314483cfe9d08d609ce3128%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C0%7C636707178539494994&sdata=RBg6MT%2BbiQxI6rO4fb0sO3uTtZaA4EM%2B8aooSxnZhdY%3D&reserved=0
>>>
>>>
>>>
>> -
>> List info/subscribe/unsubscribe? See
>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Cbjulin%40clarku.edu%7C589e21921314483cfe9d08d609ce3128%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C0%7C636707178539494994&sdata=RBg6MT%2BbiQxI6rO4fb0sO3uTtZaA4EM%2B8aooSxnZhdY%3D&reserved=0
>
>
>
-
List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Cbjulin%40clarku.edu%7C589e21921314483cfe9d08d609ce3128%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C0%7C636707178539494994&sdata=RBg6MT%2BbiQxI6rO4fb0sO3uTtZaA4EM%2B8aooSxnZhdY%3D&reserved=0



More information about the Freeradius-Users mailing list