Re: [Emu] Crypto-binding in TTLS-v0
Nancy Winget (ncamwing) wrote: Thanks Alan, I am glad to see that the evaluation is continuing on the thread.I think both TTLS and EAP-FAST are being widely deployed and both merit consideration. I think EAP-FAST has been considered, and has little support. I've never seen an EAP-FAST deployment, and most people I talk to haven't seen one, either. Most people I talk to don't plan on supporting EAP-FAST any time soon. Alan DeKok. ___ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
RE: [Emu] Crypto-binding in TTLS-v0
Alan, I think we can all agree that without the help of the market analysts measuring deployment, comparing our personal perceptions of deployment is a bit like the five blind men and the elephant. I had the pleasure of helping to bring TTLS into the market. The industry conditions in 2003 was very different from 2005-2006. 2003 was a greenfield market so adoption of a strong EAP method was instant (especially with the then prevailing embarrassment of WEP as a protection scheme). By the time EAP-FAST arrived, EAP-FAST had to earn adoption on to its own merits. The adoption characteristic was naturally different from TTLS or PEAP. Gene Eugene Chang (genchang) WNBU, Technical Leader Office: 603-559-2978 Mobile: 781-799-0233 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, August 16, 2007 10:57 AM To: Gene Chang (genchang) Cc: Nancy Winget (ncamwing); Ryan Hurst; emu@ietf.org Subject: Re: [Emu] Crypto-binding in TTLS-v0 Gene Chang (genchang) wrote: It is not unusual for developers to be unaware of the breath of the EAP-FAST market adoption. It has been growing under the radar for a lot of people since market research firms do not track market share of different EAP methods. I do rather a bit more than just development. I work with people deploying systems from 100 to 10M+ users. I don't see EAP-FAST being adopted. I *do* hear rumors about EAP-FAST from enterprises who have bought single source solutions. Part of the misperception that EAP-FAST has no market presence has been because no one has been drawing attention to the adoption success of EAP-FAST. I am hoping to assemble some public data to shed a light on the secret life of EAP-FAST. People haven't drawn attention to the adoption success of PEAP or TTLS, either. Instead, people just deployed it in large numbers. I started hearing about PEAP and TTLS almost as soon as they were proposed. There was quick and immediate demand for both protocols from a wide range of systems (small, medium, large). I've seen nothing similar happen with EAP-FAST (so far). Part of the misperception that EAP-FAST has a large market presence has been that the people who are deploying it don't talk to the people *not* deploying it, and vice versa. Within the EAP-FAST camp, it looks like there's wide-spread adoption. Outside of it, it just doesn't come up in any conversation. Alan DeKok. ___ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
Re: [Emu] Crypto-binding in TTLS-v0
Gene Chang (genchang) wrote: I think we can all agree that without the help of the market analysts measuring deployment, comparing our personal perceptions of deployment is a bit like the five blind men and the elephant. I disagree. Sufficient volumes of data make personal perception statistically significant. That's just what market analysts do. The adoption characteristic was naturally different from TTLS or PEAP. The only relevant characteristic is volume of deployments. Alan DeKok. ___ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
RE: [Emu] Crypto-binding in TTLS-v0
There is an EAP-FAST module for EAPHost plug-in, which currently uses three hard coded inner methods, EAP-GTC, EAP-MSCHAPv2 and EAP-TLS. But it can be extended to work with EAPHost supplicant interface to load any inner method registered with EAPHost. Will you have a POTP plug-in soon? The problem is to find a server that supports provisioning with POTP. I can work with you to make it happen. -Original Message- From: Gene Chang (genchang) Sent: Thursday, August 16, 2007 11:36 AM To: [EMAIL PROTECTED]; emu@ietf.org Subject: RE: [Emu] Crypto-binding in TTLS-v0 Dave, There is an EAP-FAST implementation on FreeRADIUS from Jouni Malinan. I don't know how much testing has already gone into the module. I don't know of a client side implementation with APIs for you to integrate the SecurID PAC provisioning. Gene -- -- Eugene Chang (genchang) WNBU, Technical Leader Office: 603-559-2978 Mobile: 781-799-0233 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, August 16, 2007 11:01 AM To: emu@ietf.org Subject: RE: [Emu] Crypto-binding in TTLS-v0 I with Alan on this. I still haven't seen one yet either. But I'd love to see a version of EAP-FAST that I _could_ work with. Meaning; - it runs with something more accessible than the Cisco ACS server, preferably an open source or reference copy. Maybe even an Windows/IAS plugin. - there is a Windows EAPhost supplicant availible, preferably with interfaces for tunnelled methods and/or interfaces for the ID we wrote for SecurID PAC provisioning. draft-cam-winget-eap-fast-potp-provisioning-00.txt (hmm... time to renew that) If you have any of this, let me know. Dave Mitton, RSA - Security Division of EMC. Original Message From: [EMAIL PROTECTED] Date: Aug 16, 2007 10:13 To: Alan DeKok[EMAIL PROTECTED], Nancy Winget (ncamwing) [EMAIL PROTECTED] Cc: Ryan Hurst[EMAIL PROTECTED], emu@ietf.org Subj: RE: [Emu] Crypto-binding in TTLS-v0 Alan, It is not unusual for developers to be unaware of the breath of the EAP-FAST market adoption. It has been growing under the radar for a lot of people since market research firms do not track market share of different EAP methods. Part of the misperception that EAP-FAST has no market presence has been because no one has been drawing attention to the adoption success of EAP-FAST. I am hoping to assemble some public data to shed a light on the secret life of EAP-FAST. Gene -- -- Eugene Chang (genchang) WNBU, Technical Leader Office: 603-559-2978 Mobile: 781-799-0233 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, August 16, 2007 8:46 AM To: Nancy Winget (ncamwing) Cc: Ryan Hurst; emu@ietf.org Subject: Re: [Emu] Crypto-binding in TTLS-v0 Nancy Winget (ncamwing) wrote: Thanks Alan, I am glad to see that the evaluation is continuing on the thread.I think both TTLS and EAP-FAST are being widely deployed and both merit consideration. I think EAP-FAST has been considered, and has little support. I've never seen an EAP-FAST deployment, and most people I talk to haven't seen one, either. Most people I talk to don't plan on supporting EAP-FAST any time soon. Alan DeKok. ___ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu ___ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu ___ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu ___ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu ___ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
Re: [Emu] Crypto-binding in TTLS-v0
On Thu, Aug 16, 2007 at 11:39:31AM -0400, Alan DeKok wrote: Gene Chang (genchang) wrote: There is an EAP-FAST implementation on FreeRADIUS from Jouni Malinan. If there was, I would have known about it. Yes, and I would assume I would also be aware of this should such a thing have happened ;-). Jouni has added EAP-FAST to hostapd and to wpa_supplicant. While hostapd is a RADIUS server, it's pretty minimal. i.e. not database support, no policy language, etc. I added EAP-FAST support to hostapd mainly to make it (much) easier for me to test client side code in wpa_supplicant. Anyway, that means that there is an open source implementation available for both the server and peer side of EAP-FAST should someone be interested in testing them and was just waiting for broader set of available implementations or access to source code. I would obviously be interested in any feedback on the implementations, too. I try to run as complete interop tests with other implementations as feasible, but don't really have unlimited resources for doing this, so any additional testing would be welcome. Sure, hostapd as a RADIUS server is not meant for large and complex deployments, but I think it works well as a testbed component for testing various EAP methods, including EAP-FAST. In addition, based on past history, it looks like I have quite open view in adding support for new EAP methods regardless of their completeness, popularity, or even suitability for anything ;-). I see this as one of the best ways to evaluate protocol designs and specifications and more or less mandatory part of standard development. -- Jouni MalinenPGP id EFC895FA ___ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu