Mr Dash Four mr.dash.four at googlemail.com
Sun Nov 27 01:51:32 CET 2011

> No, the shared secret is not transmitted over the wire. 
> For additinal information see RFC2865, §2:
> "When a password is present, it is hidden using a method based on the
> RSA Message Digest Algorithm MD5. (see RFC131).
MD5 is broken.

>> My question still remains though  - since this is a two-phase
>> authentication, two distinct sets of (ca, server, client) certificates
>> can be used. How do I specify these in RADIUS?
> Which distinct set of certificates?
OK, for the first phase (EAP-TTLS) there is the CA certificate, server 
certificate/key and, optionally, the client certificate/key 
(fetched/presented on request if I configure this on the client side).

For the second phase (EAP-TLS) - there is, again, the CA certificate, 
the client certificate/key (which is used to actually authenticate the 
client) and the server certificate/key. For this second phase the CA, 
server certificate/key as well as client certificate/key may be 
different (they can be configured to be different - at least that is how 
it is done on the client side with wpa_supplicant.conf).

The question is - how do I specify the CA, CA2, server certificate/key 
and server certificate/key second pair (for phase two) in RADIUS?

> The server certificate and key is configured via eap.conf.
As far as I can see in eap.conf I can only configure *one* CA (CA_file) 
and one server certificate/key ("certificate_file", "private_key_file" & 
"private_key_password" options) - all via "tls {}". So, there is no room 
for one of the phases - unless I am missing something obvious. If I want 
to use a different CA_file and different server certificate/key for the 
other phase how do I do that in RADIUS?

To illustrate my point a bit more clearly - in wpa_supplicant.conf (on 
the client side) I can specify the following parameters with regards to 

# Phase 1 / outer authentication
subject_match="/C=US/ST=CA/L=San Francisco/CN=Test 
AS/emailAddress=ap_server at example.com"
altsubject_match="EMAIL:ap_server at example.com;DNS:dns.example.com;DNS:dns2.example.com"
# Phase 2 / inner authentication
subject_match2="/C=US/ST=CA/L=San Francisco/CN=Test2 
AS/emailAddress=ap_server2 at example.com"
altsubject_match2="EMAIL:ap_server2 at example.com;DNS:dns.example.com;DNS:dns2.example.com"

So, on the client side I could configure two sets of the 
keys/certificates required. How do I do that with RADIUS?

Also, how do I actually configure/specify the user authentication 
certificate? I need to be able to authenticate user by the various 
certificate attributes (CN, Subject etc) - in both phases!

More information about the Freeradius-Users mailing list