Hi Chris,
At UBC, we have rolled out PEAP (MS PEAP). We looked at TTLS but since
we already have MSChap support cooked into our single sign-on system to
support VPN PPTP, PEAP support was relatively easy.
TTLS was considered but it wasn't well supported when we made the
decision and Microsoft has no plans to support TTLS which means that an
XP Service Pack could potentially break thousands of client machines
over night. We can control the backend but we can't control end-user
machines (especially student machines).
We also felt that PEAP would have more chances to take off as the
primary EAP method since it's built-in to the windows client and windows
backends.
Our implementation is Radiator for RADIUS and Sun Directory for LDAP
(non-windows). We use mutual authentication to avoid the
man-in-the-middle attacks. With mutual authentication, the conversation
is safe from client-side attacks from what we can tell.
I keep challenging anyone to hack into PPTPv2 (with MSChapv2) but nobody
has yet to show me a working solution so we feel very confident with
PEAP. Lot of old hacks on poorly implemented system but nothing working
on the latest systems when properly implemented. So my feeling is that
it's very secure when properly implemeted (I'm even willing to send
anyone the MSCHAP hash that we store in our database to see if it's
crackable, it's certainly not stored in plain text...:-)
My ideal solution would be to have an easy PKI platform that allows
users to obtain wireless certs via a one time secure web login and use
the client-side certs to then authenticate over wireless but that's just
a dream I think. PEAP or TTLS appear to be the two EAP contenders with
no clear winner... Too bad that MS didn't bundle TTLS in their
supplicant, if they had, that would have been our choice.
We feel the safest is to support Microsoft natively at the client-side
even though our backend platform is not...
In the meantime, feel free to look at our documentation at
www.wireless.ubc.ca/wpa/ It has info on native PEAP support on Windows
XP, 2000, Pocket PC and Mac OS. I'll have to check on the various
flavors of Unixes but that type of user is normally capable of self-support.
... Jonn Martell, UBC IT
on 6/23/2005 12:33 PM Chris Hart said the following:
At Northwestern University we are looking to move away from using VPN
for Authentication and Encryption for our wireless users.
We do not want to have to use 3rd party supplicants because of end
user support issues.
We are currently using Funk Steel Belted Radius and have tested using
802.1X with PEAP on Windows and MAC so far in small numbers with success.
TTLS does not have a built in supplicant for Windows XP and TLS
requires a per client certificate so these are not good options.
This leaves PEAP or using an appliance of some sort to provide an
IPSEC tunnel or a Secure desktop SSL connection.
So my questions are
1. Am I missing other options?
2. Is PEAP a good solution - is it secure, client issues?
thanks
Chris
Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
