[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: How is PEAP going?
From:       Dave Mason <dmason () transat-tech ! com>
Date:       2003-09-30 18:23:01
[Download RAW message or body]

Thanks for the update.  I knew you didnt like PEAP, and it sounds like 
you have plenty of reasons.  Unfortunately it looks here to stay for a 
while.  If anyone who is working on it can follow up with the current 
status, I think that information would be well received across the 
list.  Hopefully the Microsoft and Cisco versions arent mutually 
exclusive.  If they are, it would be good if the PEAP module could 
support both, and you could the one you want through configuration.  I 
know there are commercial RADIUS servers that say they support PEAP - I 
wonder what they do...

Dave

Alan DeKok wrote:

>Dave Mason <dmason@transat-tech.com> wrote:
>  
>
>>> Before flaming me, I searched the archives back to June and saw posts 
>>> from people working on PEAP, but nothing about any expected arrival 
>>> date.
>>    
>>
>
>  Multiple people claim to have been working on it.  No patches yet,
>though.
>
>  
>
>>>  We would like to use a Freeradius implementation but need some 
>>> idea of it's availability for our planning.  Even a ballpark figure 
>>> would help - December?  March?  I understand that TTLS is in the CVS 
>>> head, so maybe some common code is done?
>>    
>>
>
>  From what I can tell of reading the specs, TTLS is TLS + Diameter in
>the TLS tunnel.  PEAP is TLS + EAP in the TLS tunnel.  So from that
>perspective, 99% of the work for PEAP should already be done, because
>TTLS is already in the server.
>
>  There's a problem, though.  It's name is Microsoft.  Not only do
>they not know how to program, they don't know how to design protocols,
>or how to write specs, or how to impement those specs.  They did *all*
>of those stages wrong with PEAP.
>
>  When I did the TTLS work, I read the spec, wrote some code, poked
>around wit TLS certificates, and got it working pretty quickly.  In
>fact, the major portion of the work for TTLS was re-arranging the EAP
>module & server core to allow the later TTLS code to work.  The
>implementation of TTLS itself is simple, as the TTLS module is small.
>
>  But PEAP is different.  It's not EAP inside of TLS.  It's something
>that's not quite EAP, inside of something that's not quite TLS.
>Further, there are three versions of the protocol: 0, 1, and 2.  To be
>completely inter-operable, any PEAP module will have to implement all
>3 versions.
>
>  But even that isn't good enough.  Read some of the PEAP related
>articles on the net.  There's the Microsoft implementation of PEAP,
>and the Cisco implementation of PEAP.  They don't inter-operate.
>There are multiple PEAP clients, each of which have different bugs,
>and which implement the protocol slightly differently.
>
>  So PEAP isn't one protocol.  It's more like 5-10 closely related
>protocols.
>
>  My conclusion is that PEAP sucks.  PEAP sucks horribly.  It's an
>incredibly stupid protocol, described in a poorly written spec, and
>implemented even more poorly.  In contrast, TTLS is wonderful,
>beautiful, and simple.  It's designed correctly, described well, and
>implemented almost trivially.
>
>
>  My suggestion for people wanting PEAP (and who've read this far in
>the rant), is for them to get PEAP packet traces for multiple clients
>and servers, and post them on the net.  Include packet data from
>inside & outside of the TLS tunnel, and also which clients & server
>software you're using.  Post the URL to the list, and I'll start
>collecting the data for anyone implementing PEAP.
>
>  And if you're worried about client/server licenses forbidding
>"reverse engineering", do that work and post it in a free country like
>Canada, where those clauses are unenforceable, and the DMCA doesn't
>exist.
>
>  Alan DeKok.
>
>
>  
>



[prev in list] [next in list] [prev in thread] [next in thread]