EAP-TLS Attributes

[Arran Cudbard-Bell]

On 17 Nov 2011, at 19:15, Houston-III, Lester L wrote:

> Thanks for the responses.  I see that I need to devise a different way of getting the data across.  At the very least I have the ground work done with EAP and maybe I can implement a VSA sometime later.
> 
> -----Original Message-----
> From: freeradius-users-bounces+lester.l.houston-iii=boeing.com at lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing.com at lists.freeradius.org] On Behalf Of Alan DeKok
> Sent: Thursday, November 17, 2011 5:15 AM
> To: FreeRadius users mailing list
> Subject: Re: EAP-TLS Attributes
> 
> Houston-III, Lester L wrote:
>> Basically, I want to provide some data that's obtained from an external source to my VPN client that is made available to JRADIUS via FreeRADIUS.  I need this data to be available for the authorization phase because it will be used by JRADIUS for determining whether a user is authorized for access. I haven't gotten much information about the data that needs to be transmitted, but I was told that its 20-30 bytes
> 
>  EAP doesn't work like that. :(
> 
>  It's not a generic transport mechanism for sending data from point A
> to point B.  The data sent in EAP is defined by the protocol.  Nothing
> else is sent, and nothing else *can* be sent.

According to Alan, attributes included in the Diameter tunnel within EAP-TTLS are automatically converted into RADIUS attributes.
I honestly can't remember if TTLS allows for validation of the client certificate when setting up the TLS tunnel, but if it does, then that would probably be your best bet. If it doesn't, then you could always run EAP-TLS within EAP-TTLS which would be supported by FreeRADIUS without code modifications.

You would however have to modify the supplicant.

-Arran

Arran Cudbard-Bell
a.cudbardb at freeradius.org

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !