Authenication with certifiactes

Olivier Nicole olivier.nicole at cs.ait.ac.th
Tue Jul 3 10:53:20 CEST 2012


Hi,

>> > Where can I read what other possibilites there are to authorize a client
>> > for an AP using a radiusserver as backend.
>>
>> it depends what you want to do. you were talking about authenticating
>> using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS)
>> which means the client uses a certificate
>
> OK
>
> I wonder what other possibilities than certificates there are to authorize
> a client to a network using WLAN. Like Hotspots, internet cafes and hotels
> for example. I mean, handing over a certifacte to a client on an USB-stick
> seems unpracticable to me.

EAP-PEAP/TLS will allow some user name/password authentication.

But! the password must be stored in either plain text or NT encryption
format in your database of users.

If you are setting up eduroam, you only have to care about the
password of your own users only, so handling a certificate may not be
a problem (you don't have to manage guests).

If you plan to offer a service for guests, 802.1x may be too much and
you should look at a captive portal solution. But still using Radius
as backend authentication.

Best regards,

olivier

> [ ... snipp ]
>
>> > But I do not get a lease from the AP.
>>
>> thats because, as you can read, you never got an Access-Accept. the flow above
>> shows that
>> your request arrived at the server....the server is configured to use MD5 by default
>> in the inner-tunnel (so change that to the method you will use most eg TTLS) and
>> so the server send a NAK. the client was then put through using TTLS but the server
>> sent an Access-Challenge that never got answered....which is in the FAQ - the client
>> doesnt trust the server. you need to ensure that you have added the CA in the right
>> certificate store on the client..... as this is 802.1X a quick hint - do a google
>> search for 'eduroam configuring client' you should find countless examples from Universities
>> worldwide on how to configure a client for doing this sort of thing....some sites will
>> have step by step instructions so you can see how to do it on windows XP/Vista/7 OSX 10.6 etc
>>
>> ..and a favour in return..if you find any sites that DONT tell the users to check the CA
>> and put the right name in the verification box, then please email me ;-)
>>
>> > Strange, where can I read about this?
>>
>> EAP-TLS HOWTO, or google for EAP-TLS - I find it quite worrying that people are
>> blocked from internet search engines
>>
>> > > 4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong
>> >
>> > Ok, disabled SQL and made entries in the users file.
>>
>> ..but from what you said above (using TTLS) - there is nothing wrong with using MySQL/postgreSQL
>> etc
>>
>> though we DO advise people to start simple. start with users file rather than some fancy backend
>> storage. once you see things working and have things in a working state, THEN bring in the good stuff(tm)
>>
>> > > 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes.
>> >
>> > allright, will do that if I can see some land in this ocean
>>
>> I would start with the upgrade first - the cerfificate make files got some fixes
>> and improvements too! ;-)
>
> So I followed your hint and compiled and installed freeradius-server-2.1.12.
> Created new certificates and changed md5 to ttls in eap.conf and the client.conf
> to accept my client.
> I configured the Linux-Client with Yast to connect to the AP using the ca.pem.
> The handshake works and I get a lease. Now this is great! The NetworkManager didn't
> do it.
>>
>> alan
>
> Thank you very much for your initial help! Now I can go on examinng the server.
>
>   Andreas
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list