On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: > well looking at man wpa_supplicant I can see > > EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about. > also from my google searches it might be possible that windows supports > PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get Yes > There is a concern in our organization with security of PEAP/MSCHAPV2 over > Eduroam > because we don't really trust supplicants in windows, macs and various phones > to do the right thing (windows phone doesn't check the radius certificate for > example). If that's all you're doing, forget about PEAP and just go for straight EAP-TLS. All PEAP really gives you on top is the SoH support, and may cause problems with other non-Windows clients. EAP-TLS should work on more devices. Some devices you'll be stuck with PEAP/MSCHAPv2 though (or TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't do EAP-TLS. You do realise that EAP-TLS is certificate based, not user/password? So you need a full certificate management system to go with it as well to issue certs to your users. You can't get user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only. My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly. Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html