EAP Method Feature Comparison
The following is a comparison of the most common EAP methods deployed in the eduroam-US ecosystem.
EAP-Type | Native Supplicant Support | Pros | Cons |
EAP-TLS | Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+) |
|
|
EAP-TTLS | Windows (8, 10), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+) |
|
|
EAP-PEAP | Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+) |
|
|
- This may be mitigated using configuration tools such as the iPhone Configuration Utility for iOS devices (iPhone, iPod Touch, iPad), Active Directory for Windows devices (XP, Vista), etc.
- Man-in-the-Middle attacks may be perpetrated against any SSL/TLS protected service in which the used server certificates are not validated. This validation comes from the signing Certificate Authority's (CA) certificate being in the root-store of a given device. For common CAs the certificate is often bundled with the operating system. If an institution opts to use either a CA which is not shipped with common OSs or their own CA which is not an intermediate CA for a well-known CA, then they must take the responsibility of distributing their CA certificate, and installing it correctly on end-user devices. The same configuration tools discussed to mitigate the complexity of configuring TLS certificates for end-user devices may sometimes be used to install necessary CA certs for those devices, even while using EAP methods other than EAP-TLS (or PEAP-TLS).