RE: PEAP vs TLS

[Jason Cook]

- Support 802.1x? -
Yes

- use EAP-PEAP on campus? -
Yes

- use EAP-TLS on campus? –
Yes

- What PKI/CA do you use: -

- If both, why and is one preferred? -
We’ve always had EAP-PEAP since 2006 when we first started. We used Cloudpath 
Wizard a few years later to help configure clients, and migrated to Cloudpath 
Enrolment System when it came out and use EAP-TLS.
We don’t force EAP-TLS, but essentially push all users requiring support to 
Cloudpath and EAP-TLS
EAP-PEAP remains available, we may consider turning it of in the future but 
there’s other fish to fry. TLS is organically growing pretty well.

If you want EAP-TLS Cloudpath has been great, many people love Secure W2. Check 
them both out

Brief description of why you’re doing what you’re doing and anything else that 
might be helpful:

Less lockouts from client devices are a great bonus at password change time. 
Also if an AD lockout occurs (for any reason), an EAP-TLS configured device 
still gets authenticated and has wifi access.

Have generally found that many clients are happier on EAP-TLS. After reports of 
stability issues, investigating RF and no real problems. EAP-TLS and users 
claim things are better.

--
Jason Cook
Information Technology and Digital Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

CRICOS Provider Number 00123M
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Morton
Sent: Saturday, 24 February 2018 3:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] PEAP vs TLS

We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
but all of them will take some work to get them ready for a production launch. 
Given that resources are limited, I’m looking for some data points about others 
who have moved, are thinking of moving or have decided not to adopt EAP-TLS.

To help gather some data can you please answer this short survey?

Do you:

- Support 802.1x? -

If yes, do you:

- use EAP-PEAP on campus? -

- use EAP-TLS on campus? -
- What PKI/CA do you use: -

- If both, why and is one preferred? -

- If only PEAP, are you planning EAP-TLS? -

Brief description of why you’re doing what you’re doing and anything else that 
might be helpful:



Thank you in advance


David



David Morton
Director, Networks & Telecommunications
Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu<mailto:dmor...@uw.edu>
tel 206.221.7814

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] PEAP vs TLS

[Aaron Abitia]

 Hi David,

Aaron here from Cal Poly University in San Luis Obispo...

*Do you*:

- Support 802.1x? -

Yes.


*If yes, do you*:

- use EAP-PEAP on campus? -

Yes.

- use EAP-TLS on campus? -

Yes.

- What PKI/CA do you use: -

For PEAP, we use Comodo/Incommon as the CA for the RADIUS and HTTPS certs
that we load into Aruba Clearpass, which acts as our RADIUS.  For EAP-TLS,
we use Aruba Clearpass Onboarding, which acts as its own PKI, and again, we
use Comodo/Incommon as the CA for the RADIUS and HTTPS certs in Clearpass.

- If both, why and is one preferred? -

We started out with PEAP, then rolled in EAP-TLS; the reason for this was
that because we're Education, we don't have centralized management of
devices, but rather BYOD, so getting certs to users' devices so that the
devices bark less was difficult.  With PEAP, we made a mobile config
profile available to IOS users so that those devices barked less about
seeing a new cert--you still get a "I see a new cert" popup in IOS/AppleOS
but at least there's no dreaded "Not Verified" message in red letters--then
with non-Apple devices we made do with the Root CA certs that came with the
OS, but that still meant that we had to instruct users on how to configure
the "verify server certificate" settings.

All of those certificate issues is why we started using Aruba's Onboarding
for EAP-TLS, where all we needed to worry about having valid RADIUS/HTTPS
certs on Clearpass.  The device connects to the Onboarding SSID, they login
with a browser and the device is then provisioned for our main SSID.  With
EAP-TLS, your WiFi system doesn't go down if AD has a problem because
devices are authenticated to Clearpass.  Also, there's less password
problems that come with AD, should a user's account get locked. And, if a
device is infected, you can revoke access for that one device, instead of
blocking their username and thus all their devices. But the main thing is
that your help desk theoretically has fewer visits since users can use
Onboarding anywhere.  We wanted to eventually turn off PEAP, but by having
PEAP available, there's that safety net if users cannot Onboard, and also,
we do PEAP on Eduroam as well.  Because we have ~25K devices that all want
on WiFi, there's always going to be users who, for whatever reason, are
unable to Onboard...their device is messed up, the provisioning process
crashes, etc.  That said, with PEAP there can be issues of manual device
configuration, depending upon the OS; that is less of a factor today as it
used to be, though.


- If only PEAP, are you planning EAP-TLS? -

Brief description of why you’re doing what you’re doing and anything else
that might be helpful:

One of the main issues that may influence which way you go is how sensitive
your organization is to popups on devices, in particular "certificate
cannot be verified" type messages.  Some universities don't care, just
click "OK" or "Proceed" the one time and you'll never see it again, in
which case PEAP might be okay for you.  In other universities, they won't
allow that, the whole connection experience must be as free of those popups
as possible, and that's where Aruba Onboarding helps.  As far as the manual
configuration on devices that you need to do for a PEAP connection, that
has subsided as OSes got better at WiFi; in the early days of WiFi that was
a bigger issue and is what made EAP-TLS/Onboarding so attractive.


P.S. Go Cougars...sorry man, I lived in Pullman as a kid.




On Fri, Feb 23, 2018 at 8:58 AM, David Morton  wrote:

> We currently use EAP-PEAP for our eduroam/802.1x, but are now considering
> adding EAP-TLS to the mix. We have several potential PKIs that we could
> use, but all of them will take some work to get them ready for a production
> launch. Given that resources are limited, I’m looking for some data points
> about others who have moved, are thinking of moving or have decided not to
> adopt EAP-TLS.
>
> To help gather some data can you please answer this short survey?
>
> *Do you*:
>
> - Support 802.1x? -
>
> *If yes, do you*:
>
> - use EAP-PEAP on campus? -
>
> - use EAP-TLS on campus? -
> - What PKI/CA do you use: -
>
> - If both, why and is one preferred? -
>
> - If only PEAP, are you planning EAP-TLS? -
>
> Brief description of why you’re doing what you’re doing and anything else
> that might be helpful:
>
>
>
> Thank you in advance
>
>
> David
>
>
>
>
> David Morton
> Director, Networks & Telecommunications
> Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
> University of Washington
> dmor...@uw.edu
> tel 206.221.7814 <(206)%20221-7814>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>


-- 
Aaron Abitia
Network Analyst
Enterprise Systems, Networks
Information Technology Services
Cal Poly State University
Tel: 805.756.1295

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussio

Re: PEAP vs TLS

[Eriks Rugelis]

>Do you:
>- Support 802.1x? - 
Yes.

>If yes, do you:
>- use EAP-PEAP on campus? - 
Yes.

>- use EAP-TLS on campus? - 
No.

>- What PKI/CA do you use: - 
GlobalSign.

>- If only PEAP, are you planning EAP-TLS? - 
No.

When 801.1x was launched here, PEAP was the lowest common denominator for 
machine-based authentication across the fleet of BYOD clients.  PEAP continues 
to be deemed 'good enough' for our needs.  A project proposal to deploy EAP-TLS 
continues to be difficult to justify resource allocations to proceed vs. other 
service improvements and operational fires.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] PEAP vs TLS

[David Morton]

Thanks Bruce.

David



On Feb 26, 2018, at 8:31 AM, Curtis, Bruce 
mailto:bruce.cur...@ndsu.edu>> wrote:



On Feb 23, 2018, at 10:58 AM, David Morton 
mailto:dmor...@uw.edu>> wrote:

We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
but all of them will take some work to get them ready for a production launch. 
Given that resources are limited, I’m looking for some data points about others 
who have moved, are thinking of moving or have decided not to adopt EAP-TLS.

To help gather some data can you please answer this short survey?

Do you:

- Support 802.1x? -

Yes.


If yes, do you:

- use EAP-PEAP on campus? -

Yes.


- use EAP-TLS on campus? -

Yes.

- What PKI/CA do you use: -

- If both, why and is one preferred? -

We were mainly using EAP-TLS with some devices using EAP-TTLS.

We will be turning off EAP-TTLS soon.

We enabled EAP-PEAP recently because our help desk reported a significant 
percentage of Android devices had issues with EAP-TLS.

Also a smaller percentage of Windows machines had problems with EAP-TLS but it 
was decided to use EAP-PEAP for Windows devices.

We continue to use EAP-TLS for Apple devices, both iOS and Mac OS.

EAP-TLS has the advantage that a man in the middle attack can not steal a 
password, even if a user turns off the “check server certificate” verification.
Also with EAP-TLS devices do not have to be reconfigured if a password is 
changed.

So EAP-PEAP is installed on Android and Windows devices by default with 
CloudPath and EAP-TLS is installed by default on Apple devices with CloudPath.
People still have the option of configuring EAP-TLS for Android and Windows 
devices and EAP-PEAL for Apple devices but that requires that they configure 
that manually rather than with the installer.

- If only PEAP, are you planning EAP-TLS? -

Brief description of why you’re doing what you’re doing and anything else that 
might be helpful:



Thank you in advance


David




David Morton
Director, Networks & Telecommunications
Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu
tel 206.221.7814

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


---
Bruce Curtis 
bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] PEAP vs TLS

[Turner, Ryan H]

Our main issues continue to be with Android on TLS, but SecureW2 has made it 
much better.   We’ve had no real issues with Windows or any other major OS.  

We support TTLS for eduroam until this Wednesday, when it will be disabled (for 
our own users).  When we checked our logs, about 600 users were configured for 
TTLS (out of over 60-100k yearly onboards for TLS).  So 1%.  You’ll see more of 
this if you’ve come from a PEAP environment when virtually no one onboard.  
You’ll have to disable PEAP after some time to force everyone to TLS. 

To answer David’s other question.   We use AD PKI integrated with SecureW2.  We 
(networking) did not want to run a PKI.  I ‘think’ we are on our own 
intermediary off our own offline root.  

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Feb 26, 2018, at 11:31 AM, Curtis, Bruce  wrote:
> 
> 
> 
>> On Feb 23, 2018, at 10:58 AM, David Morton  wrote:
>> 
>> We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
>> adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
>> but all of them will take some work to get them ready for a production 
>> launch. Given that resources are limited, I’m looking for some data points 
>> about others who have moved, are thinking of moving or have decided not to 
>> adopt EAP-TLS. 
>> 
>> To help gather some data can you please answer this short survey? 
>> 
>> Do you:
>> 
>> - Support 802.1x? - 
> 
> Yes.
> 
>> 
>> If yes, do you:
>> 
>> - use EAP-PEAP on campus? - 
> 
> Yes.
> 
>> 
>> - use EAP-TLS on campus? - 
> 
> Yes.
> 
>> - What PKI/CA do you use: - 
>> 
>> - If both, why and is one preferred? - 
> 
> We were mainly using EAP-TLS with some devices using EAP-TTLS.
> 
> We will be turning off EAP-TTLS soon.
> 
> We enabled EAP-PEAP recently because our help desk reported a significant 
> percentage of Android devices had issues with EAP-TLS.
> 
> Also a smaller percentage of Windows machines had problems with EAP-TLS but 
> it was decided to use EAP-PEAP for Windows devices.
> 
> We continue to use EAP-TLS for Apple devices, both iOS and Mac OS.
> 
> EAP-TLS has the advantage that a man in the middle attack can not steal a 
> password, even if a user turns off the “check server certificate” 
> verification.
> Also with EAP-TLS devices do not have to be reconfigured if a password is 
> changed.
> 
> So EAP-PEAP is installed on Android and Windows devices by default with 
> CloudPath and EAP-TLS is installed by default on Apple devices with CloudPath.
> People still have the option of configuring EAP-TLS for Android and Windows 
> devices and EAP-PEAL for Apple devices but that requires that they configure 
> that manually rather than with the installer.
> 
>> - If only PEAP, are you planning EAP-TLS? - 
>> 
>> Brief description of why you’re doing what you’re doing and anything else 
>> that might be helpful:
>> 
>> 
>> 
>> Thank you in advance
>> 
>> 
>> David
>> 
>> 
>> 
>> 
>> David Morton 
>> Director, Networks & Telecommunications
>> Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
>> University of Washington
>> dmor...@uw.edu
>> tel 206.221.7814
>> 
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/discuss.
>> 
> 
> ---
> Bruce Curtis bruce.cur...@ndsu.edu
> Certified NetAnalyst II701-231-8527
> North Dakota State University
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] PEAP vs TLS

[Curtis, Bruce]

> On Feb 23, 2018, at 10:58 AM, David Morton  wrote:
> 
> We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
> adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
> but all of them will take some work to get them ready for a production 
> launch. Given that resources are limited, I’m looking for some data points 
> about others who have moved, are thinking of moving or have decided not to 
> adopt EAP-TLS. 
> 
> To help gather some data can you please answer this short survey? 
> 
> Do you:
> 
> - Support 802.1x? - 

Yes.

> 
> If yes, do you:
> 
> - use EAP-PEAP on campus? - 

Yes.

> 
> - use EAP-TLS on campus? - 

Yes.

> - What PKI/CA do you use: - 
> 
> - If both, why and is one preferred? - 

We were mainly using EAP-TLS with some devices using EAP-TTLS.

We will be turning off EAP-TTLS soon.

We enabled EAP-PEAP recently because our help desk reported a significant 
percentage of Android devices had issues with EAP-TLS.

Also a smaller percentage of Windows machines had problems with EAP-TLS but it 
was decided to use EAP-PEAP for Windows devices.

We continue to use EAP-TLS for Apple devices, both iOS and Mac OS.

EAP-TLS has the advantage that a man in the middle attack can not steal a 
password, even if a user turns off the “check server certificate” verification.
Also with EAP-TLS devices do not have to be reconfigured if a password is 
changed.

So EAP-PEAP is installed on Android and Windows devices by default with 
CloudPath and EAP-TLS is installed by default on Apple devices with CloudPath.
People still have the option of configuring EAP-TLS for Android and Windows 
devices and EAP-PEAL for Apple devices but that requires that they configure 
that manually rather than with the installer.

> - If only PEAP, are you planning EAP-TLS? - 
> 
> Brief description of why you’re doing what you’re doing and anything else 
> that might be helpful:
> 
> 
> 
> Thank you in advance
> 
> 
> David
> 
> 
> 
> 
> David Morton 
> Director, Networks & Telecommunications
> Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
> University of Washington
> dmor...@uw.edu
> tel 206.221.7814
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> 

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: PEAP vs TLS

[Sweetser, Frank E]

We have been using certificates for many years now, with good results.  We've 
never used EAP-PEAP.


We have two PKIs.  For administrative systems that are joined to our AD domain, 
the domain PKI automatically issues certificates that are trusted, effectively 
auto-configuring the system.  For anything else, including BYOD, we use 
Cloudpath, with it's built-in PKI.


Having the wireless authentication decoupled from the account process has been 
very helpful over the years:


  *   Fewer lockouts due to badly configured mobile devices (doesn't help with 
email clients)
  *   Account suspensions and password changes don't knock devices offline
  *   No user passwords stored for wireless configurations, or shared with 
friends/family/etc


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of David Morton 
Sent: Friday, February 23, 2018 11:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] PEAP vs TLS

We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
but all of them will take some work to get them ready for a production launch. 
Given that resources are limited, I’m looking for some data points about others 
who have moved, are thinking of moving or have decided not to adopt EAP-TLS.

To help gather some data can you please answer this short survey?

Do you:

- Support 802.1x? -

If yes, do you:

- use EAP-PEAP on campus? -

- use EAP-TLS on campus? -
- What PKI/CA do you use: -

- If both, why and is one preferred? -

- If only PEAP, are you planning EAP-TLS? -

Brief description of why you’re doing what you’re doing and anything else that 
might be helpful:



Thank you in advance


David




David Morton
Director, Networks & Telecommunications
Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu<mailto:dmor...@uw.edu>
tel 206.221.7814

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

PEAP vs TLS

[David Morton]

We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
but all of them will take some work to get them ready for a production launch. 
Given that resources are limited, I’m looking for some data points about others 
who have moved, are thinking of moving or have decided not to adopt EAP-TLS.

To help gather some data can you please answer this short survey?

Do you:

- Support 802.1x? -

If yes, do you:

- use EAP-PEAP on campus? -

- use EAP-TLS on campus? -
- What PKI/CA do you use: -

- If both, why and is one preferred? -

- If only PEAP, are you planning EAP-TLS? -

Brief description of why you’re doing what you’re doing and anything else that 
might be helpful:



Thank you in advance


David




David Morton
Director, Networks & Telecommunications
Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu
tel 206.221.7814


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.