Re: Statistics on EAP methods widely used
Panagiotis Georgopoulos wrote: > When did I ever call someone a liar? >>> At first you said that 99.9% is PEAP and practise says that 75% is >>> PEAP (even in just 4 hours). > I am trying to have a discussion with people that would be willing to share > some real results or give me some pointers because there is nothing as such > online. Sure. You need to understand the statistics that come back before disagreeing with them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hello Alan, Thanks for your reply, > > I understand your view here and I don't disagree. My point is to > > firstly see which of them are being used in practice and then try to > > identify why. In certain instances some of them are more > > convenient/secure/etc than others, but when you know their popularity > > you can start thinking of other questions such as why would you need > > to configure both PEAP and EAP-TTLS for example. If providers are doing so > > there must be a reason and this is what I wanted to see. > > answers > > 1) the usage figures are known by sites who tell - they always show PEAP being > the most favoured I didn't know that, and some articles I read didn't favour PEAP that much. Good to learn. > > 2) backend authentication method > > 3) PEAP is most convenient... with correct deployment they are all as secure > as each other I would imagine that from the backend's perspective deploying PEAP and EAP-TTLS is similar right? When you mention here convenient you mean in terms of the clients that support it out of the box? > > 4) because you can. we support PEAP/EAP-TTLS/EAP-TLS/EAP-PWD because our > authentication system works with them all and it means that we can offer the > widest range of authentication methods to clients - especially of interest to > the mobile space where , for example, Apple could suddenly decide not to > support PEAP anymore we've got EAP-TTLS there. > So being more inclusive and supporting more devices out of the box is a reason for supporting more than one EAP method on the server. is knowledge and a very large historical tract of 802.1X space. > > the requirements of the scenario. I more wanted to see what do > > providers eventually support and what prevails in the real world (vs > theory). > > ..and what would happen if the only vocal people who provided you with data > were all using EAP-TLS or EAP-FAST, you would get a very distorted view of > whats going on in the real world. that is the problem with such surveys or > questions... > Nothing would happen! I asked to see if people have pointers or would be willing to share their stats/numbers as there is nothing as such online. Thanks for your reply, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hi Phil, Thanks for your reply. > Sorry, but you're misunderstanding the stats, or reading too much into them. > > These are EAP types from EAP *packets*, not sessions. And, as I said, it > excludes our *own* users (i.e. it's just visitors) which removed several > hundred thousand PEAP packets from the count. > > EAP-Identity doesn't count as an auth type; there is one EAP packet for every > session, at the start. > > If you exclude the Identity packets (type 1) and NAK packets (type 3) you > have: > > 91 0d > 4848 15 > 35801 19 > > This is 87% PEAP. However, this is still *packets*. It takes no account > of sessions, of the client re-auth times, TLS session resumption, and so > forth, and is still just for visitors. You are right Phil, I didn't get that these were counters for packets. My comment was merely on the fact that I am unable to find some related statistics and that people mention online their "feeling" about deployed/used EAP methods but there is no such survey/analysis available. > > I'm afraid I don't have time to do more detailed processing. But really, > you would want to "unique" any stats by client (Calling-Station-Id) and > EAP-type, and measure "EAP type client days" or something. Fair enough, thanks a lot for the insight, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
> Panagiotis Georgopoulos wrote: > > At first you said that 99.9% is PEAP and practise says that 75% is > > PEAP (even in just 4 hours). Essentially this is what I am after, to > > see whether what I am reading online is also what happens in practice (in > terms of deployment and usage) (and then search why). > > If you're going to call us liars, then you can go find your own mailing > list. > When did I ever call someone a liar? > This list isn't the place to do research. The people here are answering > your questions out of the kindness of their hearts. It's not nice to call > them liars. It is because of the kindness of the people that I decided to ask. I didn't call anyone a liar. I am trying to have a discussion with people that would be willing to share some real results or give me some pointers because there is nothing as such online. Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
On 20/11/12 17:50, Panagiotis Georgopoulos wrote: 91 0d 501 03 4848 15 7540 01 35801 19 So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS. Thanks a lot for this specific results. Essentially you are proving my point :-) At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why). Sorry, but you're misunderstanding the stats, or reading too much into them. These are EAP types from EAP *packets*, not sessions. And, as I said, it excludes our *own* users (i.e. it's just visitors) which removed several hundred thousand PEAP packets from the count. EAP-Identity doesn't count as an auth type; there is one EAP packet for every session, at the start. If you exclude the Identity packets (type 1) and NAK packets (type 3) you have: 91 0d 4848 15 35801 19 This is 87% PEAP. However, this is still *packets*. It takes no account of sessions, of the client re-auth times, TLS session resumption, and so forth, and is still just for visitors. I'm afraid I don't have time to do more detailed processing. But really, you would want to "unique" any stats by client (Calling-Station-Id) and EAP-type, and measure "EAP type client days" or something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Panagiotis Georgopoulos wrote: > At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even > in just 4 > hours). Essentially this is what I am after, to see whether what I am reading > online is > also what happens in practice (in terms of deployment and usage) (and then > search why). If you're going to call us liars, then you can go find your own mailing list. This list isn't the place to do research. The people here are answering your questions out of the kindness of their hearts. It's not nice to call them liars. If you care enough about the numbers, you will go do your own work. Then, everyone here can question your methods and tell you you're doing it wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hello Stefan, Thanks for your reply. > Subject: Re: Statistics on EAP methods widely used > > Hi, > > > I've been searching all morning for NRPS statistics but I have been > > unable to find any online. I know there are eduroam people in this list... > > could > they help? > > In eduroam, every identity provider makes the choice of EAP type all on their > own. > I.e. we do not have a central register of who uses which EAP type. > > Of course these things can be found out; if by no other means by sniffing the > first > bytes of EAP conversations on proxies to see which EAP type was negotiated. > But > seriously: what's the point? I understand your view here and I don't disagree. My point is to firstly see which of them are being used in practice and then try to identify why. In certain instances some of them are more convenient/secure/etc than others, but when you know their popularity you can start thinking of other questions such as why would you need to configure both PEAP and EAP-TTLS for example. If providers are doing so there must be a reason and this is what I wanted to see. >From another point of view, I keep reading about "x being the most widely >deployed" or "z being the most commonly used" but no one backs up their claim. That's why I thought to ask... > There is no definitive answer which EAP type is "best", so you'll have to sit > down > and find out your own needs yourself. I didn't want to find which one is the "best", because as you say this is in relation to the requirements of the scenario. I more wanted to see what do providers eventually support and what prevails in the real world (vs theory). Thanks for your reply, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, ...as I write this, we have 3856 clients using the wireless, 3828 are using PEAP 26 are using EAP-TTLS 2 are using EAP-TLS of course, if those 26 were very mobile across the UK then the national proxies might think we had far more EAP-TTLS users than PEAP users ALL are using WPA2/AES (for me, that is far more important as a statistic! ) but our values lie nicely in the 99% of clients are using PEAP that was already mentioned alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, > At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even > in just 4 bt! thats where you are wrong ;-) you've got to take into account what the packet counts are measuring and whether these are unique clients. all it takes is a chatty couple of clients and your stats are skewed...for example, a client using EAP-TTLS that is continually reauthing will change the balance ..and EAP-TTLS takes a couple more packets to contruct the tunnel so will therefore have higher packet presence. we can , for example, see what methods sites use for their monitoring of service but that isnt indicative of all the methods that they useand locally they might use some other method for their local 802.1X - eg EAP-TLS eg 102 organisation use a PEAP test account, 10 organisations use EAP-TTLS (with various inner types). I guess the real questin is WHY are you asking this - for a comp sci research project or for eg local administrative work? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hi Phil, > > I've been searching all morning for NRPS statistics but I have been > > unable to find any online. I know there are eduroam people in this list... > > could > they help? > > As Stefan has said, it's a lot of work, and you'll need to justify it. > > However, in the spirit of being helpful - our ORPS stats for the last 4 hours, > excluding our own users, show the following EAP types (in hex): > > > 91 0d > 501 03 > 4848 15 > 7540 01 >35801 19 > > So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS. Thanks a lot for this specific results. Essentially you are proving my point :-) At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why). Thanks again, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, > I understand your view here and I don't disagree. My point is to firstly see > which of them > are being used in practice and then try to identify why. In certain instances > some of them > are more convenient/secure/etc than others, but when you know their > popularity you can > start thinking of other questions such as why would you need to configure > both PEAP and > EAP-TTLS for example. If providers are doing so there must be a reason and > this is what I > wanted to see. answers 1) the usage figures are known by sites who tell - they always show PEAP being the most favoured 2) backend authentication method 3) PEAP is most convenient... with correct deployment they are all as secure as each other 4) because you can. we support PEAP/EAP-TTLS/EAP-TLS/EAP-PWD because our authentication system works with them all and it means that we can offer the widest range of authentication methods to clients - especially of interest to the mobile space where , for example, Apple could suddenly decide not to support PEAP anymore we've got EAP-TTLS there. > >From another point of view, I keep reading about "x being the most widely > >deployed" or "z > being the most commonly used" but no one backs up their claim. That's why I > thought to > ask... there is knowledge and a very large historical tract of 802.1X space. > the requirements of the scenario. I more wanted to see what do providers > eventually > support and what prevails in the real world (vs theory). ..and what would happen if the only vocal people who provided you with data were all using EAP-TLS or EAP-FAST, you would get a very distorted view of whats going on in the real world. that is the problem with such surveys or questions... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hi Olivier, > > > > I've been searching all morning for NRPS statistics but I have been > > unable to find any online. I know there are eduroam people in this list... > > could > they help? > > > > On our side we support eap-peap/mschapv2 and eap-ttls/mschapv2. We're > providing > documentation and configuration tool for the peap method. > > Statistics reports 60% of peap against 40% of ttls. > > Total number of eduroam users live is approx 800 > Thanks very much, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, > information on the web already in "how-to-connect-to-our-wifi" guides. It > seems strange to > me that there is no survey with collective statistics about this anywhere. its because noone caredand therefore our systems arent collecting such information. we *could* survey our federationbut, to be honest, I think some of them are getting sick of being surveyed about this and that almost every few months. > I've been searching all morning for NRPS statistics but I have been unable to > find any > online. I know there are eduroam people in this list... could they help? ...what would the end result be? is there a reason for wanting to know exact percentages of each good EAP method? EAP-TLS is fairly rare due to the PKI required...though with centralised systems such as eduroamJP project that may change... PEAP is most common... EAP-TTLS next so (though what method is used in EAP-TTLS inner is another thing altogether!) - then there are the hens teeth - EAP-FASTv1, EAP-PWD and PEAPv1-GTC alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
On 20/11/12 14:19, Panagiotis Georgopoulos wrote: Yeap, I understand this but telling people that you are doing EAP-TLS, or EAP-TTLS, or PEAP, or whatever does not really expose your network. Many companies have this information on the web already in "how-to-connect-to-our-wifi" guides. It seems strange to me that there is no survey with collective statistics about this anywhere. Why are you telling us that? We know. We agree. The point is that lots of *other* people don't. Alan is not saying this is sensible; he's saying it *is the case*. I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? As Stefan has said, it's a lot of work, and you'll need to justify it. However, in the spirit of being helpful - our ORPS stats for the last 4 hours, excluding our own users, show the following EAP types (in hex): 91 0d 501 03 4848 15 7540 01 35801 19 So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
> > I've been searching all morning for NRPS statistics but I have been unable to > find any > online. I know there are eduroam people in this list... could they help? > On our side we support eap-peap/mschapv2 and eap-ttls/mschapv2. We're providing documentation and configuration tool for the peap method. Statistics reports 60% of peap against 40% of ttls. Total number of eduroam users live is approx 800 Olivier B. -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
> Subject: Re: Statistics on EAP methods widely used > > From my own experience PEAP (aka PEAPv0/mschapv2) is the most common EAP > method > in use (probably due to it being supported in most clients and backend > authentication systems) > > alan Thanks for your reply Alan. I've also read that PEAP is very widely deployed mostly because of the support by big vendors. But then again, I am unable to find any references or any survey with some statistics on this... Anyone else any pointers? Thanks, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, > I've been searching all morning for NRPS statistics but I have been unable to > find any > online. I know there are eduroam people in this list... could they help? In eduroam, every identity provider makes the choice of EAP type all on their own. I.e. we do not have a central register of who uses which EAP type. Of course these things can be found out; if by no other means by sniffing the first bytes of EAP conversations on proxies to see which EAP type was negotiated. But seriously: what's the point? There are a number of EAP methods which satisfy the IETF requirements for "good" EAP types in RFC4017. So long as you stay in the "good" set - pick whatever fits your local situation best; some have advantages in certain situations, others don't. There is no definitive answer which EAP type is "best", so you'll have to sit down and find out your own needs yourself. And if you just want statistics for statistics' sake... sorry, that kind of information is so hard to get hold of, I'm reasonably confident that it won't be done unless there's a real use case for it. That said, we might get information of that kind as a by-product of a configuration assistant tool which identity providers may use to make their lives easier, and then maybe we could generate numbers from that. Don't hold your breath though. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
> Panagiotis Georgopoulos wrote: > > I am trying to find some statistics on what is the > > most commonly deployed/used EAP method using FreeRadius (or RADIUS in > > general). > > That's hard. It requires organizations to tell people what they're doing. > Most > organizations won't say this. Yeap, I understand this but telling people that you are doing EAP-TLS, or EAP-TTLS, or PEAP, or whatever does not really expose your network. Many companies have this information on the web already in "how-to-connect-to-our-wifi" guides. It seems strange to me that there is no survey with collective statistics about this anywhere. > > >There are many claims that, for example, EAP-TLS and > > EAP-TTLS are most commonly used (and secure) but these are never > > backed up by any survey/references. Any pointers? > > The best source of these stats is probably the eduroam proxies. > However, that information is hard to get. > I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? Thanks, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Panagiotis Georgopoulos wrote: > I am trying to find some statistics on what is the most > commonly deployed/used EAP method using FreeRadius (or RADIUS in general). That's hard. It requires organizations to tell people what they're doing. Most organizations won't say this. >There are many claims that, for example, EAP-TLS and > EAP-TTLS are most commonly used (and secure) but these are never backed > up by any survey/references. Any pointers? The best source of these stats is probably the eduroam proxies. However, that information is hard to get. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
On 20/11/12 12:53, Panagiotis Georgopoulos wrote: Hello all, I apologize for the “spam” but I thought that you would be able to give me a couple of pointers on the following. I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general). There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers? We support the following: EAP-PEAP/MSCHAP EAP-TTLS/PAP EAP-TTLS/MSCHAP EAP-TLS ...and 99.9% of our auth is EAP-PEAP/MSCHAP. So, I would have to say that PEAP/MSCHAP is the most common, and my understanding of other sites suggests the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
From my own experience PEAP (aka PEAPv0/mschapv2) is the most common EAP method in use (probably due to it being supported in most clients and backend authentication systems) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
It works perfectly almost without any changes inside config files... :) hint: default_eap_type = peap inside eap.conf On 20.11.2012 14:24, Alan Buxey wrote: From my own experience PEAP (aka PEAPv0/mschapv2) is the most common EAP method in use (probably due to it being supported in most clients and backend authentication systems) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Statistics on EAP methods widely used
Hello all, I apologize for the "spam" but I thought that you would be able to give me a couple of pointers on the following. I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general). There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers? Thanks a lot, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html