Mr Dash Four <mr.dash.four@googlemail.com> wrote:
After reading various howto's and documentation as well as looking at numerous sources on the Internet, I can't see a way in which the AP is authenticated to the RADIUS server by using only its certificate attributes (CN, Subject, Issuer etc) - it seems that freeRADIUS always needs some sort of "password" or "shared secret" specified.
so it is, you can only protect your AP client with the shared secret key.
In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS?
It is. I believe you misunderstood how RADIUS works. The connection between the AP (called NAS in RADIUS) and the RADIUS-Server is only protected by the shared secret configured in clients.conf. Yes, this is kind of weak. And because of this weakness a protocol like RADsec has been developed, which is essentially RADIUS-with-SSL-over-TCP, thus providing strong encryption of the whole RADIUS session. So far I have not seen any devices like APs, Dial-in-Servers, etc. support RADsec. But this is normally no problem, since those devices are usually located in a safe network with the RADIUS server. RADsec for example is used in the Deutsche Forschungsnetz (DFN), to secure inter-university RADIUS connections over the Internet to authenticate Eduroam users. Back to EAP-(T)TLS: The connection between a connecting device such as a laptop, which connects to a NAS, can be secured via EAP-(T)TLS, which is a protocol transported via RADIUS packets. This of course is supported by FreeRADIUS since ages. Grüße, Sven. -- Sigmentation fault. Core dumped.