Palmer J.D.F. wrote:
> Anyway, the $64000 question is which EAP method is the best to use?
> Which is the strongest EAP?
EAPs TLS, TTLS and PEAP are essentially equivalent. There's not much to
pick between them from this PoV.
> Which is the best supported EAP?
Pretty much all common supplicants support TLS, TTLS and PEAP. The odd
man out is the native Windows' supplicant, which only does TLS and PEAP.
Another consideration, if you're a Windows shop, is that IAS only does
TLS and PEAP.
> Do you want Credential or Certificate based authentication?
All of the "strong" EAP methods (TLS, PEAP, TTLS) use certificates,
although TTLS and PEAP only need them for proving the server's identity
whereas TLS requires user certificates as well, which means that in HEFE
environments it's not commonly used!
> Personally I'm tending to favour EAP-PEAP(MSCHAPv2) at the minute as
> it's reasonably strong, widely supported and is based on user/machine
> credentials rather than a certificate; yet has the option of using a
> root cert to verify the auth server.
> The question is, is there anything better?
It depends on your environment mainly. Most decent RADIUS servers
support a range of EAP types, so there's nothing to stop you using PEAP
for Windows boxes and TTLS for Macs, for example.
> Can you EAP-TTLS/EAP-PEAP for example? If so can it be supported by any
Certainly, if your server and supplicants supports the methods. Examples
of supplicants that could do this include wpa_supplicant, Meetinghouse
and Funk Oddyssey.
> We are aware that wpa_supplicant will do just about anything, but what
> about the Longhorn/Vista client? How capable will that going to be?
I'll lay money on it not doing TTLS, unfortunately.
> Ideally whatever EAP method we choose to use on the network should be
> supported by Longhorn.
Safest to go with PEAP, then.
> Are there any documents anywhere that compare and contrast the abilities
> of the XP client to the proposed Vista/Longhorn client?
Not that I'm aware of. In fact, I've had difficulty finding any
information about the Vista/Longhorn supplicant. If anyone has any, I
would greatly appreciate a pointer!
> Will the Vista client support multiple encryption methods on a single
> SSID; or non broadcast SSIDs?
Again, I have no information.
best regards, josh.