freeradius eap-ttls user/pass + cert
Matthew Newton
mcn4 at leicester.ac.uk
Thu Feb 23 11:49:49 CET 2012
Hi,
On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
> 2. configured ttls/server cert password in eap.conf and everything worked
> fine. Then I read somewhere that username/password authentication alone is
> not secure as some information is passed in clear text?!
You need to decide what auth methods you want to support.
PAP on its own sends the password in clear-text.
Sounds like you are trying to set up EAP-TTLS/PAP, which means
that the password is now inside a TLS tunnel, so no longer
clear-text on the wire.
> I added "EAP-TLS-Require-Client-Cert = Yes" in "authorize-section" the
> default-site in sites-enabled.
The magic code is something more like
update control {
EAP-TLS-Require-Client-Cert := Yes
}
> (I also tried to add it to users-file, which didn't work, what does work is
> DEFAULT EAP-TLS-Require-Client-Cert := Yes)
However, many supplicants can't do client certificates with TTLS
(or PEAP), so this is likely to lead you into trouble unless you
always know exactly what clients you're dealing with.
If you want to use certificates for authentication then you're
probably best to just use EAP-TLS (not TTLS).
> using Fedora 16 as client, I now had to use certificate, I added earlier
> created client.pem, but server fails to authenticate with message "unknown
> ca cert", I also tried to use ca.pem, but with negative result.
The CA for client cert validation goes in CA_file - did you set
that?
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list