On Apr 10, 2016, at 12:38 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Ok, I have more context for my question:
Does Freeradius support something similar to Cisco's use of key-wrap as defined in https://tools.ietf.org/html/draft-zorn-radius-keywrap-18
No.
In their implementation they define a way to securely transmit cryptographic keying material (such as from an EAP conversation) between NAS and Radius server using a a keywrap around the keying material to protect encryption key distribution.
That's nonsense.
Supposedly this "protects" a man-in-the-middle from grabbing the EAP keys? I'm not sure how this increases security because you can't do anything with the public keys anyway. But I suppose it's a "stronger" way of encrypting that information as opposed to the standard hash that's currently done.
Maybe. No one has broken the current method, so that argument is not really relevant.
The reason I'm asking, I'm doing some contract work for a university. The bosses want to know, presumably because they have some compliance requirements they need to satisfy.
It would help to describe those requirements. If it's "use Cisco gear", we can't help you. If it's "use Cisco non-standard stuff because of some bullshit sense of security", we can't help you. If it's "does FreeRADIUS do RADIUS", we can help you. RADIUS is secure. No one has broken it. Alan DeKok.