FR3 - EAP-[T]LS - Win10

Ted Hyde (RSI) thyde at rndstudio.com
Sun Oct 13 20:31:08 CEST 2019 

Greets -

I've been tasked with rolling over some of our *pple *pads which were 
perfectly happy with EAP-TLS and and an FR3 service to Win10 PC 
supplicants. Admittedly, the recent releases of ios have EAP-TLS as a 
manual choice, and many of my commercial network friends advocate 
EAP-TTLS instead as most of their supplicants are people who BYOD and 
are thus user authenticated against a single huge network. For my 
instance, I want to stay with machine auth; the devices may roam between 
different smaller and independent networks (often without my direct 
involvement which is ok), but I'd rather not have individual certs and 
credentials for every supplicant that I would have to replicate to each 
remote site. The convenience of manually installing a certificate then 
handing off the device to others to deploy actually is the better path 
for me. Bulking all the supplicants into a single username/pwd is little 
different than wpa2-personal wherein eventually someone will write down 
the credential and leak it to others. With me having to manually install 
a certificate (ok, fine, a "Really, really long and difficult password 
file"), at least there is mitigation of the "password on a post-it" 
problem. The control over all the supplicants coming across my desk for 
a certificate install is fine and preferred; once installed using the 
same process, those devices then fan out and deploy to the field through 
whatever path they need to take. It would be arduous to deal with 
independent creds and mac address recording, then deploy those to field 
sites, and then keep updating as the supplicants potentially move around 
from site to site.

Having attempted WinXP/Vista/7/8.1 with the xpextensions fix but never 
actually having success with it a long time ago, I was trying to find 
recent tutorials (written preferably in 2019 at least) that walked 
through a path of FR3, EAP-TLS and Win10. I have not really been 
successful. Even the pointers to deployingradius.com didn't pan out, 
(site seems to have been thinned of late) and I am of the belief through 
some other research that EAP-TLS is becoming less useful and EAP-TTLS is 
getting the preferential treatment despite apparently EAP-TTLS under 
certain conditions being ranked as "less secure" (PAP-leading, for 
example). I do recall a very in depth slide show a bit ago discussing 
that topic.

Does anyone have an FR3/EAP-[T]TLS/Win10 tutorial that is tested 
functional that they would be willing to point to? If TTLS, is there a 
practice that would replicate the points above (the difficult to copy 
credential aspect in particular) of TLS? Cert generation would 
preferably be via openssl and FR3's scripting. Replicating certs to the 
remote sites is already part of my existing workflow.

And of course, the great opinion request - is EAP-TLS under FR3 against 
Win10 a lost proposition? One specific protocol and its traditional 
implementation may not be the only option here; out of the box thinking 
is encouraged, so suggest away.

My fully functional FR3 instances include Debian9, Cisco AP's under 
EAP-TLS, Cisco switchgear and the aforementioned ipads/android devices. 
(To date all my win PCs are hardwired....)

I was literally just about to try one other tutorial I googled, and as I 
went to reach for the POE supply for my AP, it seems to have gone for a 
walk itself...might be trying to tell me something....

Kindest regards,

Ted.

More information about the Freeradius-Users mailing list