[Freeipa-devel] user certificates
John Dennis
jdennis at redhat.com
Wed Jun 11 17:07:22 UTC 2014
On 06/11/2014 12:12 PM, Nathaniel McCallum wrote:
> On Wed, 2014-06-11 at 08:55 -0400, John Dennis wrote:
>> On 06/11/2014 04:02 AM, Fraser Tweedale wrote:
>>> There are other use cases for user certificates, e.g. client
>>> authentication for HTTP or other network services. Perhaps you know
>>> of others - in which case let us know.
>>
>> 802.11 wireless authentication using EAP-TLS
>>
>> A common discussion on the RADIUS mailing lists is the desire to deploy
>> using EAP-TLS but the difficulty of provisioning user certs is always
>> the stumbling block.
>
> Why EAP-TLS over EAP-TTLS? Legacy support? You can use a combo of
> mechanisms to support older OSes (mainly Windows).
Because EAP-TLS is what is used for mutual client/server authentication
using PKI. EAP-TLS is supported on more legacy OS's (e.g. older
Windows). Microsoft only started supporting EAP-TTLS in Windows 8.
EAP-TLS is considered very secure and my (unconfirmed) understanding is
it's somewhat common with enterprise Windows deployments because
Microsoft makes it easy to provision client certs.
EAP-TTLS is primarily to set up a tunnel for other (less secure) methods
so that sensitive information is not in the clear. Note the leading T in
TTLS refers to "tunnel". Client authentication is optional with
EAP-TTLS. You could establish a TLS tunnel with EAP-TTLS and then run
EAP-TLS inside the tunnel but the two TLS sessions make it much less
efficient, the advantage is the username can be anonymous with
EAP-TTLS/EAP-TLS if that's actually a concern. If you're not concerned
about user anonymity (outer identity) then there is no value in
establishing a tunnel to run other authentication protocols in, with
EAP-TLS simply being able to complete the SSL handshake (with the
required client cert) is sufficient to establish authentication.
--
John
More information about the Freeipa-devel
mailing list