----- Original Message ----- From: Matthew Newton <mcn4@leicester.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Sent: Thursday, 23 February 2012, 11:49 Subject: Re: freeradius eap-ttls user/pass + cert Hi, On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
2. configured ttls/server cert password in eap.conf and everything worked fine. Then I read somewhere that username/password authentication alone is not secure as some information is passed in clear text?!
You need to decide what auth methods you want to support. PAP on its own sends the password in clear-text. Sounds like you are trying to set up EAP-TTLS/PAP, which means that the password is now inside a TLS tunnel, so no longer clear-text on the wire. I choose the TTLS because it's widely supported and might be used either with or without certificates. I would like to use username/password to securely authenticate users, that is encrypted username/password. You mean it's enough to only activate ttls as eap method in eap.conf and add a user to users file? isnt username tranferred in clear text?
I added "EAP-TLS-Require-Client-Cert = Yes" in "authorize-section" the default-site in sites-enabled.
The magic code is something more like update control { EAP-TLS-Require-Client-Cert := Yes } Yes, but it aslo works without ":" and can only be applied to default-file, applying to inner-tunnel makes no difference at all.
(I also tried to add it to users-file, which didn't work, what does work is DEFAULT EAP-TLS-Require-Client-Cert := Yes)
However, many supplicants can't do client certificates with TTLS (or PEAP), so this is likely to lead you into trouble unless you always know exactly what clients you're dealing with. wpa_supplicant under linux supports most of the eap methods, linux is my main OS. If you want to use certificates for authentication then you're probably best to just use EAP-TLS (not TTLS). I would not want to use TLS as it requires full PKI with both ca, server and client - certificates
using Fedora 16 as client, I now had to use certificate, I added earlier created client.pem, but server fails to authenticate with message "unknown ca cert", I also tried to use ca.pem, but with negative result.
The CA for client cert validation goes in CA_file - did you set that? I only edited ca, server and client cnf-files as described in README-file under certs-dir. when adding ca.pem, debug says that client did not provide cert, if I use client.pem, debug says unknown ca. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html