Authenticator -to- RADIUS connection

Turner, Randy Randy.Turner at landisgyr.com
Tue Oct 5 19:00:33 CEST 2021


We are using a package called “hostapd” to talk to FreeRADIUS – in some of the hostapd documentation they refer to hostapd as an 802.1x “authenticator”

This was the term I used in my original question which may have readers thinking I meant the actual device that was trying to access the network.

In FreeRADIUS parlance, I think hostapd is called a NAS – it’s the NAS-to-FreeRADIUS connection I was referring to.

R.

From: Freeradius-Users <freeradius-users-bounces+randy.turner=landisgyr.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Date: Tuesday, October 5, 2021 at 10:35 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Authenticator -to- RADIUS connection
On Oct 5, 2021, at 9:51 AM, Turner, Randy <Randy.Turner at landisgyr.com> wrote:
>
> I wasn’t playing peek-a-boo and I didn’t use the phrase “like TLS’, my first question was pretty straightforward.

  It was vague, and based on a vague / incorrect understanding of how RADIUS works.

  i.e. " I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…"

  Because RADIUS doesn't work that way.  This should be a hint... there is no way to do X, because X is impossible.

  When you ask questions based on wrong assumptions, it it's very difficult to answer the questions, for example:

Q: How do I add pumpkins to my cars gas tank
A: Huh?  that makes no sense

  At which point people usually get angry and say "I'm just asking a simple question, why can't you answer it?"

>   We were just trying to understand if we could use something other than a username/password for the authenticator to authenticate to RADIUS.

  The documentation has a long list of authentication methods it supports, as you found.  Which answers your question.

  But in the end, none of this matters.  "I want to use TLS" is not a useful requirement.   Because what matters is what the client / end-user device supports.

  Can you do PAP over WiFi?  No, it's impossible.

  Can you do EAP-TLS in some situations?  No, it's not always possible.

  If you want to use a different authentication type, then read the documentation for the RADIUS client and/or the end user device.  See what they support, and the configure them to use your favourite authentication type.

  Asking if "FreeRADIUS" supports it is completely backwards.  FreeRADIUS doesn't control what the end user device does.  In order to configure the end user device, you need to read the documentation for the end user device.

  It's that simple.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Crandy.turner%40landisgyr.com%7Cdc040a222380487686ac08d9880d5775%7Cee2cd48b958f4be49852b8f104c001b9%7C0%7C0%7C637690413584138323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6wW5VNeHU5Rq79Pvzan4v1sq1tFOx2mfjfHyFzZjpbA%3D&reserved=0


More information about the Freeradius-Users mailing list