Most secure for WPA enterprise (FreeRadius)
-
I want to setup WPA enterprise for one of my SSID's.
What is the most secure option to choose:
TLS, TTLS, PEAP or MSCHAPv2? -
You should also be asking
What of the above type does your clients support .....Usual clients
Win / Linux / Apple IOS / Android etc ...If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
That's a good question!
There will be:
Windows 10 (20H2), iPhone X or newer (iOS 14) and MacOS (v11 / Big Sur). -
You should also ask if your willing and able to deploy the certs to each device which is what eap-tls would be.
with eap-tls both the server and client require certs.
While if any of those devices that are going to be on the network are not in your control, this becomes much more difficult.
-
Managing the cert for EAP-TLS won't be a big deal.
There will be max 10 users and all in own control.In this case would you say EAP-TLS will be most secure?
What do you use yourself? -
@bingo600 said in Most secure for WPA enterprise (FreeRadius):
@panja
You should also be askingWhat do I know ?
Well ....TLS, TTLS, PEAP or MSCHAPv2?
all means that you have to trust Apple, for example, as they have access to whatever you put in your iPhone.
You could even consider dropping all kind ofWifi encryption, as most of all the traffic is already TLS encrypted anyway.
And that one can't be intercepted or replayed by Apple, Microsoft etc. And you just got a nice bonus : No maintenance or setup difficulties. You also totally avoid the situation where you think you're save, because you have this nice "MSCHAPv2" (example) setup working, but you mist a detail and every network guy goes right trough all your 'security' stuff. No action, it's proven, doesn't add new (unknown) issues.And what about a https auth captive portal, and when the user is logged, have him open a VPN to 'the other side'.
All methods have their advantages, and disadvantages. Not choosing them as a non-expert** brings along a nice advantage.
** we're all dummies ..... otherwise we wouldn't be posting here ^^
-
@gertjan said in Most secure for WPA enterprise (FreeRadius):
** we're all dummies ..... otherwise we wouldn't be posting here ^^
Haha ;) dude that made me laugh.. Guess I will go away now ;) And you prob have little need to be here as well ;)
