On Wed, 2014-06-11 at 13:07 -0400, John Dennis wrote: > On 06/11/2014 12:12 PM, Nathaniel McCallum wrote: > > On Wed, 2014-06-11 at 08:55 -0400, John Dennis wrote: > >> On 06/11/2014 04:02 AM, Fraser Tweedale wrote: > >>> There are other use cases for user certificates, e.g. client > >>> authentication for HTTP or other network services. Perhaps you know > >>> of others - in which case let us know. > >> > >> 802.11 wireless authentication using EAP-TLS > >> > >> A common discussion on the RADIUS mailing lists is the desire to deploy > >> using EAP-TLS but the difficulty of provisioning user certs is always > >> the stumbling block. > > > > Why EAP-TLS over EAP-TTLS? Legacy support? You can use a combo of > > mechanisms to support older OSes (mainly Windows). > > Because EAP-TLS is what is used for mutual client/server authentication > using PKI. EAP-TLS is supported on more legacy OS's (e.g. older > Windows). Microsoft only started supporting EAP-TTLS in Windows 8. > EAP-TLS is considered very secure and my (unconfirmed) understanding is
*cough*heartbleed*cough* ;) > it's somewhat common with enterprise Windows deployments because > Microsoft makes it easy to provision client certs. > > EAP-TTLS is primarily to set up a tunnel for other (less secure) methods > so that sensitive information is not in the clear. Note the leading T in > TTLS refers to "tunnel". Client authentication is optional with > EAP-TTLS. You could establish a TLS tunnel with EAP-TTLS and then run > EAP-TLS inside the tunnel but the two TLS sessions make it much less > efficient, the advantage is the username can be anonymous with > EAP-TTLS/EAP-TLS if that's actually a concern. If you're not concerned > about user anonymity (outer identity) then there is no value in > establishing a tunnel to run other authentication protocols in, with > EAP-TLS simply being able to complete the SSL handshake (with the > required client cert) is sufficient to establish authentication. Yes, this I understand. But in my experience, TTLS is being widely deployed in combination with an inner client authentication precisely because TLS was so hard to maintain. MS fought TTLS for a long time and eventually gave in in Windows 8 precisely because so many people were deploying TTLS with an inner authenticator. I can't think of a single example of a TLS deployment that can't be given a better user experience by migrating to TTLS (old Windows excluded of course). Nathaniel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel