Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Most secure for WPA enterprise (FreeRadius)

    General pfSense Questions
    4
    7
    102
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Panja last edited by

      I want to setup WPA enterprise for one of my SSID's.

      What is the most secure option to choose:
      TLS, TTLS, PEAP or MSCHAPv2?

      bingo600 1 Reply Last reply Reply Quote 0
      • bingo600
        bingo600 LAYER 8 @Panja last edited by

        @panja

        You should also be asking
        What of the above type does your clients support .....

        Usual clients
        Win / Linux / Apple IOS / Android etc ...

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 22.05 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 250G EVO870 Sata SSD

        P Gertjan 2 Replies Last reply Reply Quote 1
        • P
          Panja @bingo600 last edited by

          @bingo600

          That's a good question!

          There will be:
          Windows 10 (20H2), iPhone X or newer (iOS 14) and MacOS (v11 / Big Sur).

          johnpoz 1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator @Panja last edited by

            You should also ask if your willing and able to deploy the certs to each device which is what eap-tls would be.

            with eap-tls both the server and client require certs.

            While if any of those devices that are going to be on the network are not in your control, this becomes much more difficult.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 22.05 | Lab VMs CE 2.6, 2.7

            P 1 Reply Last reply Reply Quote 1
            • P
              Panja @johnpoz last edited by

              @johnpoz

              Managing the cert for EAP-TLS won't be a big deal.
              There will be max 10 users and all in own control.

              In this case would you say EAP-TLS will be most secure?
              What do you use yourself?

              1 Reply Last reply Reply Quote 0
              • Gertjan
                Gertjan @bingo600 last edited by Gertjan

                @bingo600 said in Most secure for WPA enterprise (FreeRadius):

                @panja
                You should also be asking

                What do I know ?
                Well ....

                TLS, TTLS, PEAP or MSCHAPv2?

                all means that you have to trust Apple, for example, as they have access to whatever you put in your iPhone.

                You could even consider dropping all kind ofWifi encryption, as most of all the traffic is already TLS encrypted anyway.
                And that one can't be intercepted or replayed by Apple, Microsoft etc. And you just got a nice bonus : No maintenance or setup difficulties. You also totally avoid the situation where you think you're save, because you have this nice "MSCHAPv2" (example) setup working, but you mist a detail and every network guy goes right trough all your 'security' stuff. No action, it's proven, doesn't add new (unknown) issues.

                And what about a https auth captive portal, and when the user is logged, have him open a VPN to 'the other side'.

                All methods have their advantages, and disadvantages. Not choosing them as a non-expert** brings along a nice advantage.

                ** we're all dummies ..... otherwise we wouldn't be posting here ^^

                No "help me" PM's please. Use the forum.

                johnpoz 1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator @Gertjan last edited by

                  @gertjan said in Most secure for WPA enterprise (FreeRadius):

                  ** we're all dummies ..... otherwise we wouldn't be posting here ^^

                  Haha ;) dude that made me laugh.. Guess I will go away now ;) And you prob have little need to be here as well ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 22.05 | Lab VMs CE 2.6, 2.7

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post