TTLS IS available for XP as 3rd party product (there are a few available I know of, meetinghouse, funk, alfa & ariss (developed for SURFnet),...). There is even TTLS support for Linux and there is a beta for Pocket PC.
I think TTLS is better dan MS's PEAP, and I'm not alone. I'm working for my internship at SURFnet, where we see many customers (e.g. universities) implementing TTLS for their authentication, as well for wired as wireless connections. (There were also some problems with leap/peap experiments in the past. Besides, TTLS makes roaming possible, with just EAP support in the proxy-ing radius-server)
It works nicely in existing authentication backends: using radius (Radiator mostly), and I hope other products (FreeRadius!) implement TTLS as well!
Paul
Artur Hecker wrote:
hi paul
all this is great (especially this peap termination!), however TTLS is not available in windows xp and probably never will be since it is a concurrent draft to peap. if they wanted to use ttls they wouldn't have submitted their own draft on the exactly same idea one year after ttls or something.
i understood that beno�t used windows xp so there is no other choices than the one proposed: md5, tls, peap, basta :-)
ciao artur
Paul Dekkers wrote:
Hi,
MD5 isn't secure (it's e.g. possible to do man in the middle attack), and the PEAP you mention IS secure, however I don't like the PEAP implementation when I compare it with TTLS. Using PEAP the Radius server that is connected to the authenticator MUST be able to terminate PEAP, even if it's proxy-ing the request to another Radius server. (That is what I've seen with tests, so I assume it's correct.)
TTLS uses an encrypted path over EAP, and support PAP for password-checks in a secure way. The advantage is that TTLS must only be terminated at the end-radius server that knows the client (and PAP can be checked against different backends, I guess It doesn't even matter if the password is encrypted - as with unix passwords). The credential-transfer is completely over a secure path, proxy-ing Radius servers only have to support EAP.
I really hope Microsoft implements TTLS some day as EAP authentication standard in Windows, there are already a few good supplicants available. FreeRadius doesn't support TTLS however as authentication-server, that's a pity too - E.g. Radiator already does TTLS.
Paul
Artur Hecker wrote:
hi
it's a point of view. the certificate can belong to the user or to the machine in the same manner. windows xp explicitly distinguishes that and allows you to use machine credentials when no user info is available or guest credentials when no machine info is available, etc.
if you want to authenticate the user, you have to use user certificates and put those in the user cert. repository. that's all and that has nothing to do with freeradius.
on freeradius side according to tls no user passwords have to be stored. freeradius does not support ldap for certificate storage for eap/tls at the moment and probably never will (it's actually not very necessary).
on the other hand, you question about password has nothing to do with TLS. tls is based in PK crypto, i.e. priv key, cert, etc. if you want a password etc., you should use md5 (hehe) or the (still) proprietary peap perhaps. that has nothing to do with freeradius neither :-) peap will hardly be implemented before its standardization though.
ciao artur
Beno�t B�cel wrote:
I don't succeed to install eap-md5 with windows xp, but I succeed with
eap-tls!
But, I can just authenticate the computer with the certificate and I
would like to authenticate the user with a login and a password with LDAP!
If you have any suggestions to help me ....
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
