Excellent Point. We did some testing with LDAP group lookups, etc. vs. checking for an attribute in a user certificate for authorization and found the performance to be significantly better for the same number of authentications when *not* having to wait for LDAP. Another benefit is not having to worry about users that have trouble typing passwords/getting their account locked out for failed attempts.
-- Curtis K. Larsen Senior Network Engineer University of Utah IT/CIS ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> on behalf of Curtis, Bruce <[email protected]> Sent: Monday, August 14, 2017 10:56 AM To: [email protected] Subject: Re: [WIRELESS-LAN] EAP-TLS > On Aug 11, 2017, at 7:45 AM, Bucklaew, Jerry <[email protected]> wrote: > > To ALL: > > > > > > I am going to amend my initial request to “does anyone have any other > reasons to switch to eap-tls besides the ones I list below”? I am trying to > build a case for switching and want to gather all the benefits. One other benefit that I haven’t seen mentioned in the thread yet is that EAP-TLS removes dependency on Active Directory or other identity box. So an outage or slowdown of Active Directory (or other external box) does not affect RADIUS and wireless logins. > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Bucklaew, Jerry > Sent: Thursday, August 10, 2017 3:36 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] EAP-TLS > > > > Lee, > > > > I want to state first that I am not, by any means, an expert on all of the > authentication standards and protocols. I was hoping someone would have a > document that would help better articulate the goals and benefits. > > > > We have been a eap-peap shop for years and I have always been told that > eap-tls (cert based authentication) is more secure and you should do that. I > never had the time to deal with it and putting up a cert based infrastructure > just seemed daunting. I finally have some time and have started to play > with it. We are an Aruba shop and the clearpass Onboard system seems pretty > simple to implement and get EAP-TLS working. > > > > Now to the why. It seems that the ability to separate username/password > from network authentication has some benefits. If a user changes his > username/password it no longer affects his network connectivity. If we want > to blacklist a device it will be easy as each device will have its own cert. > So we can blacklist one device and let the rest still on. We could do those > things today but it is just a little harder to do with eap-peap. We can > also get users out of storing their usernames and passwords, because everyone > does it with eap-peap. The thought process went, if you are going to run an > on-board process anyway, why not onboard with eap-tls. On the wireless side > that is really all I have. I have always been told it is more secure so have > always thought I should try and get there. > > > > Now, we are also moving to wired authentication on every port. We are > supporting both mac auth and 802.1x (eap-peap). We did this to get the > project moving and get all ports to some type of authentication. Now 802.1x > on the wired side is just plain difficult. Nothing except macs are setup for > it out of the box. You need admin rights on the machine to set it up (which > many people on the wired side don’t have) and you almost have to run through > some type of onboard process to do it in mass. You have to deal with stuff > like network logons and mounting drives before authentication. We also don’t > want the users storing usernames and password and everyone will because no > one wants to type it in every time. I am back to the if you are going to > run through an onboard process anyway, will certs make it a little easier. > It gives you the username/password separation. The ability to revoke per > device, and once onboarded, never have to be bothered again (until the cert > expires). > > > > I am not really concerned about peap being deprecated, it will be around > forever. I am not really concerned about usernames and passwords being > stolen because of eap-peap, there are so many easier ways to do that. It > guess it is really the username/password separation and the “thought” that it > is the most secure method. > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Lee H Badman > Sent: Thursday, August 10, 2017 3:00 PM > To: [email protected] > Subject: Re: [WIRELESS-LAN] EAP-TLS > > > > Jerry, > > Am curious your reasons for TLS, like if anything beyond "it's better". > Concern for PEAP being deprecated, etc? > > Lee > > -----Original Message----- > From: Bucklaew, Jerry [[email protected]] > Received: Thursday, 10 Aug 2017, 14:42 > To: [email protected] [[email protected]] > Subject: Re: [WIRELESS-LAN] EAP-TLS > > To ALL: > > > > > > We currently do mac auth and EAP-PEAP authentication on our wireless > network. I am trying to put together a proposal to move to cert based > authentication and I was wondering if anyone has a proposal or justification > already written as to why you should move to cert based auth? Just trying to > save myself some typing. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > --- Bruce Curtis [email protected] Certified NetAnalyst II 701-231-8527 North Dakota State University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
