13

As I understood EAP-TTLS and PEAP share same level of security when implemented in wireless networks. Both only provide server side authentication via certificate.

The drawback of EAP-TTLS can be non native support in Microsoft Windows so every user has to install additional software.

The benefit of EAP-TTLS can be support for less secure authentication mechanisms (PAP, CHAP, MS-CHAP) but why would you need them in modern and properly secure wireless system?

What are you opinions? Why should I implement EAP-TTLS instead of PEAP? Let's say that I have most Windows users, medium Linux users and least iOS, OSX users.

Ivan Macek
  • 143
  • 1
  • 1
  • 6

7 Answers7

14

Client restrictions

  • iOS clients won’t support EAP-TTLS with PAP (only MsCHAPv2) unless you manually (via a computer) install a profile.

  • Windows clients won’t support EAP-TTLS out-of-box (you’ll need to install a software like secure2w), unless they have Intel wireless cards.

  • Android support almost all combinations of EAP and PEAP.


Password database restrictions

Thus, the real problem is how your passwords are stored.

If they are in:

  • Active Directory, then you can use EAP-PEAP-MsCHAPv2 (Windows boxes) and EAP-TTLS-MsCHAPv2 (with iOS clients).

  • If you store passwords on LDAP, you can use EAP-TTLS-PAP (Windows boxes) but you will be lost about iOS.


Important Security Concerns

  • Both EAP-TTLS and PEAP use TLS (Transport Layer Security) over EAP(Extensible Authentication Protocol).

As you may know, TLS is a newer version of SSL and works based on certificates signed by a trusted central authority (Certification Authority - CA).

To establish a TLS tunnel, the client must confirm it is talking to the correct server (In this case, the radius server used to authenticate users). It does that by checking if the server presented a valid certificate, issued by a trusted CA.

Problem is: normally, you won’t have a certificate issued by a trusted CA, but one issued by an ad-hoc CA you made just for this purpose. Operational system will complain to users that it doesn't know that CA and users (as oriented by you) will happily accept that.

But this poses a major security risk:

Someone can setup a rogue AP inside your business (in a bag or even on a laptop), configure it to talk to his own radius server (running on his laptop or at the own rogue AP).

If your clientes find this AP to have a stronger signal then your access points, they will try connecting to it. Will see an unknown CA (users accept), will establish a TLS tunnel, will send authentication information on this tunnel and the rogue radius will log it.

Now the important part: if you are using a plain text authentication scheme (PAP for example), the rogue radius server will have access to your users passwords.

You can solve that by using a valid certificate issued by a Certification Authority both iOS, Windows (and Android) trust. Or, you can distribute the CA root certificate to your users and inform them to refuse connecting when they see certificate problems (good luck with that).

motobói
  • 1,571
  • 11
  • 17
  • 2
    really great stuff & thanks for raising solid security knowledge here – bourneN5years Aug 09 '16 at 05:39
  • What you've done here is sold the importance of still using a good password scheme (e.g. MS-CHAP-v2), though the CA issue isn't a problem for managed devices (e.g. corporate workstations/phones/etc) as an administrator would be able to add the CA to the OS' trust in advance. – Adambean May 24 '20 at 14:30
8

PEAPv0, PEAPv1 and TTLS have the same security properties.

PEAP is a SSL wrapper around EAP carrying EAP. TTLS is a SSL wrapper around diameter TLVs carrying RADIUS authentication attributes.

EAP-TTLS-PAP can be useful (rather than EAP-PEAP or EAP-TTLS) if the backend authentication database store credentials in a non-reversable hash format such as bigcrypt or any form not compatible with MSCHAP (NT-OWF) In this case it is not possible to authenticate using any of the CHAP based methods.

While you could also emulate PAP using EAP-PEAPv1-GTC this is not as widely supported by clients.

PEAP has some added baggage over TTLS in the form of PEAP version negotiation headaches and historical incompatibilities in PEAPv1 (Such as client magic when deriving master key from PRF) which have made their way into early implementations.

I normally see EAP-TTLS implemented in embedded clients such as subscriber modules in wireless gear with PEAP used more by laptop computers and mobile handsets.

EAP-TTLS has historically not been supported in Windows clients without having to install third party software. EAP-TTLS is now supported starting with Windows 8.

Some additional thoughts:

EAP-TTLS was invented by a RADIUS vendor. EAP-PEAPv0 was invented by Microsoft. EAP-PEAPv1 came out of the IETF process.

There was some additional IETF work on a PEAPv2 which would have made the system more secure by way of crypto bindings to inner authentication methods. This has not gone anywhere as near as I can tell.

Terry Burton
  • 160
  • 1
  • 9
disk eater
  • 111
  • 1
  • 3
2

As disk eater wrote, the main reason people use TTLS is you can allow your radius server to see the cleartext password that way, which can be useful depending on your authentication backend.

A newer consideration that might favor PEAP is that SoH is AFAICT only presented to the RADIUS server if it asks for it, and the only way to ask for it on Microsoft systems is during a PEAP session. So if you want to get agent-like assessment out of agentless assessment (support by more AV vendors probably forthcoming) you'd want PEAP, however if you are looking to work around a 1-factor OAUTH backend by taking a naked password (because heck, the big IDPs that won't provide an inner tunnel service deserve no less and their users are clueless enough to type it in) use TTLS.

skids
  • 21
  • 1
1

You can support both, if your RADIUS backend supports it. However some clients "auto"-connects (Mac OS X >= 10.7 + iOS for example), and they might work less than optimal if you support more than one type, since they just try different combinations until one of them works i.e. they connect with less hassle if there's only one way to connect.

So Basically: support PEAP only, or PEAP+TTLS if you have clients that require TTLS.

1

You have to consider what EAP methods the client supports natively vs. with additional software and what inner authentication methods the server supports.

PEAP and EAP-TTLS are designed to let you validate the identify of the server, but you have to make sure that clients are properly configured to validate the certificate.

PEAP and MS-CHAPv2 are well-supported by clients, but if your server doesn't support MS-CHAPv2 (because you don't store cleartext passwords), you have to come up with another solution. That's the main reason you'll see people use EAP-TTLS and PAP.

Jason Luther
  • 408
  • 3
  • 6
1

I think auto-connect would benefit from both options, the more options the less hassle... eg. if auto-connect tries TTLS-PAP first and then PEAP-MSCHAP, the auto-connect is faster with TTLS-PAP available. So basically: support both, I can't see a disadvantage.

Since MSCHAPs security is broken (google for "crack mschap") pap with cleartext password through ttls has the same level of security as PEAP-MSCHAP.

user212628
  • 11
  • 1
-3

I don't know of any differences in security between EAP-TTLS and PEAP, so it basically comes down to support, where PEAP is the winner.

mgorven
  • 30,036
  • 7
  • 76
  • 121