As Tim mentioned, PEAP is fine and actually in my opinion the most OS friendly EAP method (I define friendly as no complicated installer required and no EAP fragmentation issues) as long as you use a non sensitive password. But who does that ? and that is what hurts PEAP. There are now Wifi hacking kits designed to collect passwords for WPA enterprise .Canada has been pushing for their eduroam partners to use CAT to mitigate the problem since CAT enforces the certificate pinning and prevents users from accepting « anything » when presented with a fake certificate.
We implemented campus wide WEP at University of Tennessee back in 2000. Worst idea ever. Our CiO absolutely wanted security and we got the Lucent per user per session encryption. OS support fell apart. Worst idea ever. We then did MAC address registration using our home grown netreg... that worked flawlessly for more than 10 years. We tried in the meantime 802.1X with the Odyssey client (from Funk back then). Thank goodness we kept it as a pilot within the IT department! Then slowly but surely OSes started to get their act together with EAP-TTLS (not in Windows for quite a while if you remember). Now we finally have PEAP working fine everywhere but we screw it up by using sensitive passwords, and EAP-TLS is the golden standard but requires a heavy duty installer. Something tells me that it will eventually get better. (just wait 20 years :) Philippe Philippe Hanset, CEO ANYROAM LLC www.anyroam.net www.eduroam.us +1 (865) 236-0770 On Aug 19, 2020, at 1:38 PM, Jeffrey D. Sessler <j...@scrippscollege.edu> wrote: For a student population that will only be with the institution for 4 years, and then spend the next 60 years using WiFi options with lower barriers and potentially a little more risk, are EDU’s getting it wrong? Are we too focused on something with low risk while ignoring other higher risk issues? At the point one needs complicated provisioning tools, your userbase sees only barriers, and then wonders why the other 99% of places they frequent don’t require such inconveniences. The key is a _realistic_ risk assessment. There are plenty of examples outside of technology e.g. the lock on your doors, where it’s a given there are no silver bullets and we choose based on risk vs cost. Do you spend thousands of dollars to put Bowley locks on your doors, or accept that in most situations, the $20 kwickset locks are good enough? As a bad actor, why would I spend time trying to compromise a WiFi network, when it’s far easier to send your organization phishing emails? Phishing can be done remotely and exploit the greatest weakest (humans). A successful phish/compromise and I’m well past the front door, the expensive locks, and enjoying a beer from your refrigerator. According to by eduroam guest reports, PEAP still dominates everything else at 89.7% vs 8.3% for EAP-TLS and 1.97% for EAP-TTLS. I don’t know that I’d call that legacy, and while it does have weakness, how would one compare it to an institution that may not have the best security controls around their provisioning tools? A compromise of one’s provisioning tool, say because of admins using weak passwords and/or no MFA, may present a higher security risk than the use of PEAP. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 9:43 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? My old colleagues likely won’t be happy with me saying this, but given the industry changes, I think you should collectively pressure NAC vendors to make device provisioning part of the core product without the need for additional licensing (at least for EDU). 😊 From: Tim Tyler Sent: Wednesday, August 19, 2020 12:39 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Yes, I always find this conversation to be interesting. There are many institutions that can’t afford an on-boarding solution. Hence, the certs usually get ignored since most configurations are manual or semi-automatic. And my thought is that mac address registration would eliminate the vulnerability of user’s credentials via network authentication. So this is something I keep thinking might be better than 802.1x if certs are going to get ignored anyways. But the recent conversation on mac addresses potentially becoming dynamic will make me strongly hesitate on this thought. Tim From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Correct, some versions of operating systems do not support a self-signed EAP server certificates. It is also just a bad idea as you can’t renew it without re-onboarding devices. If you use at least 1 issuer, you can cycle the certificate without updating clients. PEAP (and EAP-TTLS) should never be used on unmanaged devices unless a security assessment has been done and its been determined that credential exposure is an acceptable risk to the organization. I feel like this conversation surfaces multiple times per year. So here’s the summary: If able, EAP-TLS should be used for all user-centric device network access. This then implies an organizationally controlled PKI is used to issue the EAP server certificate. If EAP-TLS is not feasible and a legacy, known vulnerable EAP method like PEAP is going to be used, it is highly recommended that a supplicant provisioning wizard be used. This would also use an organizationally controlled PKI for the EAP server certificate. Your information security team should determine whether credential exposure is an acceptable risk for the organization. If EAP-TTLS/PAP or EAP-TTLS/MSCHAPv2 are used, a supplicant provisioning wizard is required for Apple operating systems. This would also use an organizationally controlled PKI for the EAP server certificate. Your information security team should determine whether credential exposure is an acceptable risk for the organization. If you decide to use an EAP server certificate from a public CA, expect problems every year. General summary Always use a PKI in your control for the EAP server identity so you’re able to renew the server certificate without any risk of a chain change or enforcement of restrictions intended for browsers If you must use legacy password-based authentication, use a supplicant provisioning wizard (but realize this does not remove all risk as you can’t force users to use it) If users configure their own supplicant for password-based authentication or blindly accept a certificate prompt, you should assume that their credentials have been comprised Also one quick update regarding Android: Android 11 will not restrict EAP server certificates to Chrome’s 1 year lifetime. tim From: Dennis Xu Sent: Wednesday, August 19, 2020 12:12 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Hi Tim, Can you please further elaborate the issues with self-signed certs vs private CA signed certs besides the manageability stuffs? I understand some OSes cannot connect if using self-signed cert for PEAP authentication, unless using on-boarding solutions to configure them to trust the cert. I am not sure if the private CA signed cert makes any difference on this. Below is from the FreeRADIUS EAP configuration file: # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. Thanks, Dennis From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Mike Atkins Sent: Wednesday, August 19, 2020 11:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca Good clarification, thanks. In previous discussions, our identity group mentioned using PKI that they use for other systems. Note to self, be careful what you ask for. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 11:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Got it. Just to clarify, a self-signed EAP server certificate should never be used. A server certificate issued by a PKI under your control is the best deployment practice (which is not the same as a self-signed certificate). tim From: Mike Atkins Sent: Wednesday, August 19, 2020 11:31 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Tim, We use the public certificates for users that do not use our onboarding utility. We use a public root certificate that is in pretty much all operating systems. Fortunately or unfortuanately, some operating systems still want to walk the entire chain so we onboard with the root and intermediate. Our information security group had concerns about users just accepting security prompts for certificates. Using a self-signed cert that expires far into the future sounds better each day. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? If you’re already onboarding your users, why do you continue to use a public cert? A public EAP server cert should only be used when a “walk-up” enter your username/password experience is desired (of course that’s after your organization has decided that credential exposure is not a concern). Tim From: Mike Atkins Sent: Wednesday, August 19, 2020 10:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? We were burnt last December by an updated cert with the same cert chain and still not trusted by some devices/operating systems. We learned documents that referenced changes to the default web browser on an operating system ended up with a modification in the operating system that matched the web browser's changed behavior. I think this is the same experience Christopher is referencing. We ended up having to re-onboard all of our devices at the very last minute. We spent more time than we should have to try to avoid onboarding devices mid-semester when our cert expired. (this happened right around finals of course) Our identity group is buying a cert to test with a month in advance. They then cancel/revoke that cert to get money back and then order the production cert. This is to best ensure we test with the right root/intermediate certificate authorities that will be on our production cert. We still lose about a week on the production cert between testing and install. Ideally, we would keep the yearly cert installation during the summer but time is against us. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Johnson, Christopher Sent: Wednesday, August 19, 2020 10:07 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? I think it's going to "depend" on each Operating System for the 802.1X authentications being affected. The information below is more of just an FYI on what I've observed (cause I imagine someone's going to say - If I'm going through the trouble of installing a public Root CA that already exists - then why not go ahead and use a Private CA). 1. Apple specifically states "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS." - so that makes me wonder if you install a public Root CA via a mobile config for example for iOS - does that exempt it from the 1 year limitation then? 2. Chrome OS though (at least from the behavior I've seen) you can't install a public Root that already exists on to the OS. I don't think I would trust those "possible exceptions though". One of the annoying things I felt with Android and Chromebook for certificate management was If I go into the device and "Disable/Turn Off the certificates/Set to Not Use" - then all portions of the Operating System should not use those certificates regardless. However, from what I saw, even if I disable some of the Public CAs - the wireless supplicant still seems to trust them. Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Tim Tyler Sent: Wednesday, August 19, 2020 8:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? [This message came from an external source. If suspicious, report to ab...@ilstu.edu<mailto:ab...@ilstu.edu>] I was told by Sertigo that all commercial certs would be affected. We just bought the last 2 year expirations we could get away with for both 802.1x and https. The reason I am told has to do with so many smaller establishments that go out of business before their cert expires leaving the cert as a security vulnerability for consumers. I just wish there was a way to allow for the longer certs for those of us that have a long history of existence and stability. Such a pain. And I am told they are debating quarterly cert replacements in the future. That would turn cert management into a much bigger responsibility if that were to happen. Hopefully that doesn’t happen. And yes, if you want to manage EAP with your own self cert, I believe you can use a longer expiration. Tim -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Andrew Gallo Sent: Wednesday, August 19, 2020 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Does anyone know if the new, shorter certificate expiration for TLS that Apple announced (and Google is following) will affect 802.1X authentication? Thanks -- ________________________________ Andrew Gallo The George Washington University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
