I won't argue for or against TLS or for other methods without understanding the context and use case… What fits the risk/benefit/cost profile for a particular community or subset? Observationally, eduroam reports show only 5% of visitors to our university utilizing TLS.
We labbed up the MITM in 2006 as part of our 802.1x deployment work (having concerns). I continue to hope for better EAP implementations in the native OS (shouts at the heavens). On other notes, I am disappointed in the slow rollout of WPA3 (I know there have been security issues). Sometimes these features are so slow they are overtaken by other solutions. For example, while we do block some services on our open guest SSID to discourage our community from using it, we’ve learned how Android will VPN tunnel through Google’s servers (unbeknownst/configured by the user) obviating these attempts on our part. I guess it does secure those users on from any threats on those open networks and whoever operate them (Google, *deleted*). William Green, Director of Networking and Telecommunications The University of Texas at Austin | ITS | 512-475-9295 | it.utexas.edu<https://www.utexas.edu> | [email protected]<https://www.utexas.edu> “Most need no instructions and figure it out on their own,” may not be the virtue you think it is. How many of these users figuring it out on their own are validating your RADIUS server certs? Self-configuration invites MiM attacks that can harvest account credentials. It’s precisely the security weakness of 1x I cautioned about earlier. Furthermore, providing an onboarding option that configures the devices correctly doesn’t prevent users from self-configuring. A good on-boarding solution will be widely used and will reduce the overall risk, but it doesn’t eliminate the problem. TLS is the only EAP type that doesn’t have this weakness. Chuck ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
