The decision which EAP type(s) to deploy on your eduroam IdP depends on several factors:
- Capabilities of your Identity management backend
- Types of devices you want to support
Choices depending on the Identity Management System
Regarding the identity management backend, the most fundamental differentiation between EAP types is the type of credential they support.
- Does your identity management backend support X.509 Client Certificates? Then you can use EAP-TLS.
- Does your identity management backend use username/password combinations?
- Does it store the passwords as either clear text - or - encrypted as NT-Hash? Then you can use EAP-TTLS, PEAP, EAP-FAST and more.
- Does it store the passwords in a different crypt format? Then you can use EAP-TTLS only.
As you see, the decision is largely dependent on your identity management system; so your choices may be limited. As a more concrete advice for some IdM backends:
- Microsoft ActiveDirectory: stores passwords as NT-Hashes.
Choices depending on the envisaged devices
The landscape of wireless-enabled devices is rather heterogenous, and support for EAP types varies. Ideally, you should survey which types of devices you should come to expect among your user base, check the capabilities of these devices, and make an informed decision regarding the EAP type of choice.
However, the EAP protocol is flexible enough to handle multiple EAP types: if your IdM backend can support the use of multiple EAP types, then you can configure all the supported EAP types. In that case, you have to select a "default" EAP type - it should be set to the EAP type with the broadest support in your client base.
Now, assuming you have the option of configuring a range of EAP types *and* your clients support that same range, which of these types should you prefer? We suggest the use of PEAP over EAP-TTLS.