On Thu, Feb 23, 2012 at 08:43:09PM +0000, vw58t1@yahoo.no wrote:
On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
2. configured ttls/server cert password in eap.conf and everything worked fine. Then I read somewhere that username/password authentication alone is not secure as some information is passed in clear text?!
You need to decide what auth methods you want to support.
PAP on its own sends the password in clear-text.
Sounds like you are trying to set up EAP-TTLS/PAP, which means that the password is now inside a TLS tunnel, so no longer clear-text on the wire.
I choose the TTLS because it's widely supported and might be used either with or without certificates. I would like to use username/password to securely authenticate users, that is encrypted username/password. You mean it's enough to only activate ttls as eap method in eap.conf and add a user to users file? isnt username tranferred in clear text?
If you enable pap in the default (outer) server, you will be able to authenticate with pap and clear-text passwords. If you only put pap in the inner-tunnel server, then it will have to be encrypted with the TTLS tunnel first. You can never stop a misconfigured client sending a clear-text password, of course... but you at least won't authenticate it.
Yes, but it aslo works without ":" and can only be applied to default-file, applying to inner-tunnel makes no difference at all.
Setting this in the inner-tunnel is too late. The TLS tunnel is up by then. Either = or := in this situation should be fine. := will force it to be set; = will not change the value if the attribute already exists.
If you want to use certificates for authentication then you're probably best to just use EAP-TLS (not TTLS).
I would not want to use TLS as it requires full PKI with both ca, server and client - certificates
By wanting to use client certificates with TTLS, you're essentially asking for the same thing. So - back to my original statement: You need to decide what auth methods you want to support. If you just want to ensure your passwords are not clear, then use EAP-TTLS (or PEAP), with e.g. PAP in the inner, and forget about the client certificates (remove EAP-TLS-Require-Client-Cert = Yes). If you want to authenticate with passwords, *and* force client certificates ("full PKI"), then you will need EAP-TLS-Require-Client-Cert = Yes, and you'll have to get the CA on both client & server, and issue certificates to both. You'll then need to manage a CA with issuing certificates to all your clients (which had better support TTLS with client certificates), etc. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>