Re: How is PEAP going?

[Dave Mason]

Thanks for the update.  I knew you didnt like PEAP, and it sounds like 
you have plenty of reasons.  Unfortunately it looks here to stay for a 
while.  If anyone who is working on it can follow up with the current 
status, I think that information would be well received across the 
list.  Hopefully the Microsoft and Cisco versions arent mutually 
exclusive.  If they are, it would be good if the PEAP module could 
support both, and you could the one you want through configuration.  I 
know there are commercial RADIUS servers that say they support PEAP - I 
wonder what they do...

Dave

Alan DeKok wrote:

Dave Mason <[EMAIL PROTECTED]> wrote:
 

Before flaming me, I searched the archives back to June and saw posts 
from people working on PEAP, but nothing about any expected arrival 
date.
   

 Multiple people claim to have been working on it.  No patches yet,
though.
 

 We would like to use a Freeradius implementation but need some 
idea of it's availability for our planning.  Even a ballpark figure 
would help - December?  March?  I understand that TTLS is in the CVS 
head, so maybe some common code is done?
   

 From what I can tell of reading the specs, TTLS is TLS + Diameter in
the TLS tunnel.  PEAP is TLS + EAP in the TLS tunnel.  So from that
perspective, 99% of the work for PEAP should already be done, because
TTLS is already in the server.
 There's a problem, though.  It's name is Microsoft.  Not only do
they not know how to program, they don't know how to design protocols,
or how to write specs, or how to impement those specs.  They did *all*
of those stages wrong with PEAP.
 When I did the TTLS work, I read the spec, wrote some code, poked
around wit TLS certificates, and got it working pretty quickly.  In
fact, the major portion of the work for TTLS was re-arranging the EAP
module & server core to allow the later TTLS code to work.  The
implementation of TTLS itself is simple, as the TTLS module is small.
 But PEAP is different.  It's not EAP inside of TLS.  It's something
that's not quite EAP, inside of something that's not quite TLS.
Further, there are three versions of the protocol: 0, 1, and 2.  To be
completely inter-operable, any PEAP module will have to implement all
3 versions.
 But even that isn't good enough.  Read some of the PEAP related
articles on the net.  There's the Microsoft implementation of PEAP,
and the Cisco implementation of PEAP.  They don't inter-operate.
There are multiple PEAP clients, each of which have different bugs,
and which implement the protocol slightly differently.
 So PEAP isn't one protocol.  It's more like 5-10 closely related
protocols.
 My conclusion is that PEAP sucks.  PEAP sucks horribly.  It's an
incredibly stupid protocol, described in a poorly written spec, and
implemented even more poorly.  In contrast, TTLS is wonderful,
beautiful, and simple.  It's designed correctly, described well, and
implemented almost trivially.
 My suggestion for people wanting PEAP (and who've read this far in
the rant), is for them to get PEAP packet traces for multiple clients
and servers, and post them on the net.  Include packet data from
inside & outside of the TLS tunnel, and also which clients & server
software you're using.  Post the URL to the list, and I'll start
collecting the data for anyone implementing PEAP.
 And if you're worried about client/server licenses forbidding
"reverse engineering", do that work and post it in a free country like
Canada, where those clauses are unenforceable, and the DMCA doesn't
exist.
 Alan DeKok.

 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html