EAP-TTLS/EAP-TLS with freeRADIUS

Stefan Winter stefan.winter at restena.lu
Mon Nov 28 08:16:45 CET 2011 

Hi,

>>   You haven't done that.
>>   
>   You're smart if you spend the time to understand what you're talking
> I know what I am talking about. When there is something I don't know,
> however - I ask, politely, and expect the same from others (that
> doesn't include you, apparently).

I think what Alan was trying to point out is that it is easy to find
answers to your basic questions without asking this mailing list. The
security of RADIUS is incredibly well-documented, and not specific to
FreeRADIUS. So if your problem is that you don't know whether or not a
RADIUS shared secret is sent in clear text or not - and jump to false
conclusions based on your *belief* how it *might* work (even if you are
wrong in your assumptions) then that is typically called "noise" on a
mailing list. You might rather want to clarify that aspect yourself. I
just typed "RADIUS shared secret" into Google, and found actual on-topic
results - on page one. Microsoft Technet unfortunately, but better than
nothing.

Now to get more down to the topic. You mention that security is
paramount, which is correct. When you are using EAP-TLS or EAP-TTLS,
security of your transmitted credentials comes by virtue of the TLS
tunnel that is established within that EAP method. The transport-layer
security of RADIUS adds nothing to the security of these credentials. In
that case, it doesn't matter much - for security reasons - whether your
Access Points talk RADIUS (IP+shared secret) or RADIUS/TLS.

What *is* revealed if you use "only" RADIUS, is some of the
not-so-significant attributes in the Access-Request like the MAC address
of the connecting client in Calling-Station-Id. That you might possibly
see as a rather minimal privacy invasion if an eavesdropper listens on
the packet; in that case, RADIUS/TLS would be a way of mitigating that.

Your thread contains lots of confusion, false assumptions and wrong
conclusions. There is always a danger that that kind of "half-knowledge"
spreads and leads to FUD. So to be abundantly clear:

Transport security
-------------------------
* traditional: fixed bindings of IP address+shared secret; uses MD5 for
hash calculation
* TLS security: either TLS-PSK (drop-in replacement for shared secret)
or certificate based

Credential security
--------------------------
* most EAP types "roll their own", which makes transport security less
relevant
* EAP-TLS, TTLS, PEAP, FAST are among those
* FreeRADIUS supports all of these EAP types just fine
* some weak EAP types don't provide that security on their own, and either
   - need to be tunneled within TTLS and friends - or -
   - need to be secured by transport security

I think this answers all the questions in your thread and counteracts
all the conclusions you jumped onto mid-way. If I may add: almost none
of these questions were specific to *FreeRADIUS - the product* - they
were about the RADIUS protocol. This mailing list is not the place to
ask random questions about RADIUS. Read up on it on the internet, buy a
book, or visit a course about RADIUS. The mailing list is about
configuring FreeRADIUS.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111128/58a60b3f/attachment.pgp>

More information about the Freeradius-Users mailing list