EAP-TTLS/EAP-TLS with freeRADIUS
rudat at endstelle.de
Sat Nov 26 23:32:22 CET 2011
Am 26.11.2011 22:04, schrieb Mr Dash Four:
> I ma trying to set up freeRADIUS server implementing (wireless) user
> authentication (running wpa_supplicant) via AP (running hostapd).
> After reading various howto's and documentation as well as looking at
> numerous sources on the Internet, I can't see a way in which the AP is
> authenticated to the RADIUS server by using only its certificate
> attributes (CN, Subject, Issuer etc) - it seems that freeRADIUS always
> needs some sort of "password" or "shared secret" specified.
so it is, you can only protect your AP client with the shared secret key.
> Is it possible *not* to use this and rely solely on the
> strength/culpability (depending on the way one looks at it) of PKI? If
> so, how do I achieve that? A very simple configuration file example
> would suffice! In relation to that - another question: the rlm_eap
> text file (in the doc/ directory) distributed with the source code (I
> am using 2.1.12) states that "Currently Freeradius supports only 2
> EAP-Types (EAP-MD5, EAP-TLS)." (line 78). Is that so?
> As for the actual EAP-TTLS/EAP-TLS authentication process I have
> another query - my understanding of the theory behind this method is
> that the authentication/authorisation process is done in two distinct
> phases - outer and inner authentication. This also allows for the use
> of two distinct sets of (client, server, ca) certificates to be
> specified in each phase. If that is so, how is this
> configured/specified in the eap.conf configuration file (or elsewhere)?
> Many thanks!
> List info/subscribe/unsubscribe? See
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
-----END PGP PUBLIC KEY BLOCK-----
More information about the Freeradius-Users