Article:		A Technical Comparison of TTLS and PEAP
Subject:		TTLS versus PEAP
Date:		2003-12-11 19:04:11
From:		anonymous2
I really am entertained about those that endorse PEAP over TTLS because it is pushed by Microsoft... Sounds like a GREAT idea to me.. especially when Microsoft cannot keep viruses under control with all their vulnerabilites they have on a day by day basis.. Remember Nimda, Sobig, Welchia. For those of you endorsing PEAP because Microsoft developed it, take time to pat Microsoft on the back... I am sure those of us IT professionals who work hard cleaning up the mess caused by the viruses will appreciate it. One last point.... Take a Wireless Sniffer like Wild Packets AiroPeek and watch the EAP authentication for PEAP before the protected tunnell is setup.... What the unencrypted username go by... Don't worry it will get encrypted but not before the tunnell is setup. You can see this with AiroPeek. Now go back and do the same thing with TTLS and use the Odyssey client to send anonymous to foil the WLAN hacker with a sniffer. Guess what you will see in AiroPeek... anonymous. Now you tell me which one is more secure: TTLS or PEAP... Remember we are talking about Wireless.... Do you want your company to be another WLAN hack statistic because of Microsoft's lack of concern for security. Oh, and do remember there are 2 versions of PEAP. Cisco and Microsoft went divided in their efforts and each did their own implementation. JMK, CISSP

Showing messages 1 through 2 of 2.

• TTLS versus PEAP
  2008-07-29 16:51:49  sn555 [Reply | View]
  
  
  I like to comment on one point that JMK made; user identity being passed to authenticator before the tunnel is set up. Note that this is first user ID passed, requested by (i.e) wireless AP. This userid will always be passed unencrypted but the catch is to configure, on the supplicant, this id as anonymous instead of real user id. Wireless AP won't care whether 'anonymous' or real id is received. In this sense, both PEAP and TTLS supports user identity hiding.
  
  Just a side note, I am still going with TTLS since I have to support *nix clients.

• TTLS versus PEAP
  2003-12-22 07:26:39  anonymous2 [Reply | View]
  
  
  I would like to add something else against the Microsoft PEAPv0 implementation that is part of the Windows XP sp1 and Windows 2003 IAS: It seems that the IAS RADIUS server in sending in the clear to the access point the FULL MSCHAP V2 exchange(Challenge, Peer Challenge, NTResponse...) in RADIUS attribute in one of the last success RADIUS frame. The power of the PEAP implementation was that this exchange (in the Phase 2) was encrypted by the TLS established in the phase1. So why is IAS sending in the clear this exchange at the end of the authentication.
  It seems that it is a huge security issue, or maybe i am mistaking...