No, the shared secret is not transmitted over the wire.
For additinal information see RFC2865, ยง2:
"When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5. (see RFC131).
MD5 is broken.
My question still remains though - since this is a two-phase authentication, two distinct sets of (ca, server, client) certificates can be used. How do I specify these in RADIUS?
Which distinct set of certificates?
OK, for the first phase (EAP-TTLS) there is the CA certificate, server certificate/key and, optionally, the client certificate/key (fetched/presented on request if I configure this on the client side). For the second phase (EAP-TLS) - there is, again, the CA certificate, the client certificate/key (which is used to actually authenticate the client) and the server certificate/key. For this second phase the CA, server certificate/key as well as client certificate/key may be different (they can be configured to be different - at least that is how it is done on the client side with wpa_supplicant.conf). The question is - how do I specify the CA, CA2, server certificate/key and server certificate/key second pair (for phase two) in RADIUS?
The server certificate and key is configured via eap.conf.
As far as I can see in eap.conf I can only configure *one* CA (CA_file) and one server certificate/key ("certificate_file", "private_key_file" & "private_key_password" options) - all via "tls {}". So, there is no room for one of the phases - unless I am missing something obvious. If I want to use a different CA_file and different server certificate/key for the other phase how do I do that in RADIUS? To illustrate my point a bit more clearly - in wpa_supplicant.conf (on the client side) I can specify the following parameters with regards to EAP-TTLS/EAP-TLS: proto=WPA2 key_mgmt=WPA-EAP auth_alg=OPEN eap=TTLS # Phase 1 / outer authentication ca_cert="/etc/cert/ca_p1.pem" subject_match="/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=ap_server@example.com" altsubject_match="EMAIL:ap_server@example.com;DNS:dns.example.com;DNS:dns2.example.com" client_cert="/etc/cer/user_p1.pem" private_key="/etc/cer/user_p1.key" private_key_passwd="password" # Phase 2 / inner authentication phase2="autheap=TLS" ca_cert2="/etc/cert/ca_p2.pem" subject_match2="/C=US/ST=CA/L=San Francisco/CN=Test2 AS/emailAddress=ap_server2@example.com" altsubject_match2="EMAIL:ap_server2@example.com;DNS:dns.example.com;DNS:dns2.example.com" client_cert2="/etc/cer/user_p2.pem" private_key2="/etc/cer/user_p2.key" private_key2_passwd="password2" So, on the client side I could configure two sets of the keys/certificates required. How do I do that with RADIUS? Also, how do I actually configure/specify the user authentication certificate? I need to be able to authenticate user by the various certificate attributes (CN, Subject etc) - in both phases!