Dave Mason <[EMAIL PROTECTED]> wrote: > Before flaming me, I searched the archives back to June and saw posts > from people working on PEAP, but nothing about any expected arrival > date.
Multiple people claim to have been working on it. No patches yet, though. > We would like to use a Freeradius implementation but need some > idea of it's availability for our planning. Even a ballpark figure > would help - December? March? I understand that TTLS is in the CVS > head, so maybe some common code is done? From what I can tell of reading the specs, TTLS is TLS + Diameter in the TLS tunnel. PEAP is TLS + EAP in the TLS tunnel. So from that perspective, 99% of the work for PEAP should already be done, because TTLS is already in the server. There's a problem, though. It's name is Microsoft. Not only do they not know how to program, they don't know how to design protocols, or how to write specs, or how to impement those specs. They did *all* of those stages wrong with PEAP. When I did the TTLS work, I read the spec, wrote some code, poked around wit TLS certificates, and got it working pretty quickly. In fact, the major portion of the work for TTLS was re-arranging the EAP module & server core to allow the later TTLS code to work. The implementation of TTLS itself is simple, as the TTLS module is small. But PEAP is different. It's not EAP inside of TLS. It's something that's not quite EAP, inside of something that's not quite TLS. Further, there are three versions of the protocol: 0, 1, and 2. To be completely inter-operable, any PEAP module will have to implement all 3 versions. But even that isn't good enough. Read some of the PEAP related articles on the net. There's the Microsoft implementation of PEAP, and the Cisco implementation of PEAP. They don't inter-operate. There are multiple PEAP clients, each of which have different bugs, and which implement the protocol slightly differently. So PEAP isn't one protocol. It's more like 5-10 closely related protocols. My conclusion is that PEAP sucks. PEAP sucks horribly. It's an incredibly stupid protocol, described in a poorly written spec, and implemented even more poorly. In contrast, TTLS is wonderful, beautiful, and simple. It's designed correctly, described well, and implemented almost trivially. My suggestion for people wanting PEAP (and who've read this far in the rant), is for them to get PEAP packet traces for multiple clients and servers, and post them on the net. Include packet data from inside & outside of the TLS tunnel, and also which clients & server software you're using. Post the URL to the list, and I'll start collecting the data for anyone implementing PEAP. And if you're worried about client/server licenses forbidding "reverse engineering", do that work and post it in a free country like Canada, where those clauses are unenforceable, and the DMCA doesn't exist. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
