On 10/25/23 8:31 AM, Michael Richardson wrote:
As a goal, we need to migrate to more use of EAP-TLS in home environments.
RCM requires it in the end.
The problem with EAP-TLS is certificate enrollment and trust which we
still have not solved in a way that would work for Joe and Sally Sixpack
running their home network. (Note: I'm assuming that Joe and Sally would
not be running a RADIUS/EAP server in their house but somehow the AP
would be terminating the EAP-TLS transaction).
RCM means that MAC addresses can't be relied upon anymore; good. The
solution is not EAP-TLS in the home though, it's getting away from the
"single passphrase per SSID" model that Wi-Fi came up with 20+ years ago
and still cannot move beyond. For the record, it's possible to send a
password identifier in the WPA3 exchange to support multiple credentials
on a single SSID (it's part of the 802.11 standard) but the largest mobile
phone company refuses to support it so it's kind of dead-in-the-water.
So instead of something simple and straightforward like password
identifiers to identify the credential we have shared AD accounts (!) using
MSCHAPv2 (!!) running on a parallel captive portal SSID (!!!) to use a
broken
and antiquated enrollment protocol (!!!!) and using some remote logging to
identify who is making the request (!!!!!). At some point the increased
complexity and insanity of it all should tell us that what we're doing is
not quite right. But here we are.
Dan.
--
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
