On Jan 9, 2023, at 5:17 PM, Heikki Vatiainen <h...@radiatorsoftware.com> wrote: > I'd say this is a major change because EAP-FAST-MSCHAPV2 can be directly > integrated with Windows AD but EAP-pwd and EAP-EKE can not. This is not to > bring back EAP-FAST-MSCHAPv2 but simply a note that Server Unauthenticated > Provisioning Mode is not as easy to use than in EAP-FAST.
I'll add a note. > > In practice, as anyone seen anything other than EAP-FAST-MSCHAPv2 actually > > be used for this? Win10/11 does not; and EAP-AKA/EAP-SIM is not exactly > > available to non-telcos, right? The other methods supported you would have > > the server (inner) identity available (ie. EAP-TLS) which opens the > > question why you would not also know the outer server identity. I have no opinion or experience here. > Can't comment on what's used with TEAP but this is likely a surprise to those > who think they can quicly port EAP-FAST's Server Unauthenticated Provisioning > Mode to TEAP. > > Is it known how widely Unauthenticated mode is used? Can this be left as it > is for this round of TEAP update? Implementors please speak up. :) I think it can be left as-is for this round of TEAP updates. Realistically speaking, if the client verifies the server identity, then the connection is secure. And any security issues with MS-CHAP become less relevant. i.e. MS-CHAP is insecure against offline dictionary attacks, for attackers who can view the MS-CHAP exchange. If we're running MS-CHAP inside of TLS, then only the client and server can observe the MS-CHAP exchange. If the client verifies the server identity (certificate. etc), then this prevents MITM attacks. The server presumably already knows the password, so it gains no information by observing the MS-CHAP exchange. Any client which knows the password gains no information by observing the MS-CHAP exchange. Attackers can only try MS-CHAP with random guess, and get rejected. They can't do anything other than online guesses. Does that sound correct? Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
