EAP-TTLS/EAP-TLS with freeRADIUS

Sven Hartge sven at svenhartge.de
Sun Nov 27 00:07:13 CET 2011


Mr Dash Four <mr.dash.four at googlemail.com> wrote:

>>> After reading various howto's and documentation as well as looking
>>> at numerous sources on the Internet, I can't see a way in which the
>>> AP is authenticated to the RADIUS server by using only its
>>> certificate attributes (CN, Subject, Issuer etc) - it seems that
>>> freeRADIUS always needs some sort of "password" or "shared secret"
>>> specified.

>> so it is, you can only protect your AP client with the shared secret
>> key.

> In other words, EAP-TTLS/EAP-TLS isn't actually supported in
> freeRADIUS?

It is. I believe you misunderstood how RADIUS works.

The connection between the AP (called NAS in RADIUS) and the
RADIUS-Server is only protected by the shared secret configured in
clients.conf. 

Yes, this is kind of weak. And because of this weakness a protocol like
RADsec has been developed, which is essentially
RADIUS-with-SSL-over-TCP, thus providing strong encryption of the whole
RADIUS session.

So far I have not seen any devices like APs, Dial-in-Servers, etc.
support RADsec. But this is normally no problem, since those devices are
usually located in a safe network with the RADIUS server.

RADsec for example is used in the Deutsche Forschungsnetz (DFN), to
secure inter-university RADIUS connections over the Internet to
authenticate Eduroam users.

Back to EAP-(T)TLS:

The connection between a connecting device such as a laptop, which
connects to a NAS, can be secured via EAP-(T)TLS, which is a protocol
transported via RADIUS packets.

This of course is supported by FreeRADIUS since ages.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.




More information about the Freeradius-Users mailing list