I would do a cost/benefit/risk assessment. IMHO, some of the claimed benefits to EAP-TLS over EAP-PEAP may not hold up under objective analysis especially when you factor in the added cost to implement/maintain vs the actual risk (or perceived benefit).
Just off the top of my head: Use of credentials vs certificate per device. * How often have a user’s credentials been harvested because they are stored for WiFi access? * How often do you disable a single device vs disabling all devices? * With credentials, there is but one tick to disable everything vs having to manage/disable all certificate-based devices for an individual. How much staff time is involved in managing each? * What’s the cost for the EAP-TLS management platform per year? Is it justified i.e. does it enhance the academic mission in any significant way or just give IT another tool to manage? What is the impact to the end-users i.e. are they happier on EAP-TLS or consider it an annoyance? * Have you observed in-the-wild exploits of your EAP-PEAP implementation that would justify the move to EAP-TLS? What’s the cost of mitigation vs falling back on your cyber liability insurance? * If you are really worried about the link of account credentials (keys to castle) and WiFi admission, why not issue two accounts to users? One that only works for WiFi and another for everything else. We’re a EAP-PEAP shop (for now), and I’m focusing/leaning toward the PPSK-type solutions. User’s want the Starbucks experience and I’m confounded as to why we (EDU) (myself included) are hell-bent on making it so difficult, and/or, insisting on maximum security/safety for the small percentage of time these devices are connected to our networks. Jeff From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Bucklaew, Jerry" <j...@buffalo.edu> Reply-To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Friday, August 11, 2017 at 5:45 AM To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] EAP-TLS To ALL: I am going to amend my initial request to “does anyone have any other reasons to switch to eap-tls besides the ones I list below”? I am trying to build a case for switching and want to gather all the benefits. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry Sent: Thursday, August 10, 2017 3:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] EAP-TLS Lee, I want to state first that I am not, by any means, an expert on all of the authentication standards and protocols. I was hoping someone would have a document that would help better articulate the goals and benefits. We have been a eap-peap shop for years and I have always been told that eap-tls (cert based authentication) is more secure and you should do that. I never had the time to deal with it and putting up a cert based infrastructure just seemed daunting. I finally have some time and have started to play with it. We are an Aruba shop and the clearpass Onboard system seems pretty simple to implement and get EAP-TLS working. Now to the why. It seems that the ability to separate username/password from network authentication has some benefits. If a user changes his username/password it no longer affects his network connectivity. If we want to blacklist a device it will be easy as each device will have its own cert. So we can blacklist one device and let the rest still on. We could do those things today but it is just a little harder to do with eap-peap. We can also get users out of storing their usernames and passwords, because everyone does it with eap-peap. The thought process went, if you are going to run an on-board process anyway, why not onboard with eap-tls. On the wireless side that is really all I have. I have always been told it is more secure so have always thought I should try and get there. Now, we are also moving to wired authentication on every port. We are supporting both mac auth and 802.1x (eap-peap). We did this to get the project moving and get all ports to some type of authentication. Now 802.1x on the wired side is just plain difficult. Nothing except macs are setup for it out of the box. You need admin rights on the machine to set it up (which many people on the wired side don’t have) and you almost have to run through some type of onboard process to do it in mass. You have to deal with stuff like network logons and mounting drives before authentication. We also don’t want the users storing usernames and password and everyone will because no one wants to type it in every time. I am back to the if you are going to run through an onboard process anyway, will certs make it a little easier. It gives you the username/password separation. The ability to revoke per device, and once onboarded, never have to be bothered again (until the cert expires). I am not really concerned about peap being deprecated, it will be around forever. I am not really concerned about usernames and passwords being stolen because of eap-peap, there are so many easier ways to do that. It guess it is really the username/password separation and the “thought” that it is the most secure method. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Thursday, August 10, 2017 3:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] EAP-TLS Jerry, Am curious your reasons for TLS, like if anything beyond "it's better". Concern for PEAP being deprecated, etc? Lee -----Original Message----- From: Bucklaew, Jerry [j...@buffalo.edu] Received: Thursday, 10 Aug 2017, 14:42 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] Subject: Re: [WIRELESS-LAN] EAP-TLS To ALL: We currently do mac auth and EAP-PEAP authentication on our wireless network. I am trying to put together a proposal to move to cert based authentication and I was wondering if anyone has a proposal or justification already written as to why you should move to cert based auth? Just trying to save myself some typing. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.