EAP-TTLS/EAP-TLS with freeRADIUS

Andreas Rudat rudat at endstelle.de
Sat Nov 26 23:32:22 CET 2011


Am 26.11.2011 22:04, schrieb Mr Dash Four:
> I ma trying to set up freeRADIUS server implementing (wireless) user
> authentication (running wpa_supplicant) via AP (running hostapd).
>
> After reading various howto's and documentation as well as looking at
> numerous sources on the Internet, I can't see a way in which the AP is
> authenticated to the RADIUS server by using only its certificate
> attributes (CN, Subject, Issuer etc) - it seems that freeRADIUS always
> needs some sort of "password" or "shared secret" specified.
>
so it is, you can only protect your AP client with the shared secret key.

> Is it possible *not* to use this and rely solely on the
> strength/culpability (depending on the way one looks at it) of PKI? If
> so, how do I achieve that? A very simple configuration file example
> would suffice! In relation to that - another question: the rlm_eap
> text file (in the doc/ directory) distributed with the source code (I
> am using 2.1.12) states that "Currently Freeradius supports only 2
> EAP-Types (EAP-MD5, EAP-TLS)." (line 78). Is that so?
>
> As for the actual EAP-TTLS/EAP-TLS authentication process I have
> another query - my understanding of the theory behind this method is
> that the authentication/authorisation process is done in two distinct
> phases - outer and inner authentication. This also allows for the use
> of two distinct sets of (client, server, ca) certificates to be
> specified in each phase. If that is so, how is this
> configured/specified in the eap.conf configuration file (or elsewhere)?
>
> Many thanks!
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-- 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p
YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1
QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp
gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r
STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH
YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9
jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S
wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf
wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl
LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih
XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt
PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR
hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo
YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh
bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn
tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1
teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv
33k4P9hxJKHNqLYJN+Gn
=UaS9
-----END PGP PUBLIC KEY BLOCK-----




More information about the Freeradius-Users mailing list