ma 11. syysk. 2023 klo 20.44 Alan DeKok (aland@deployingradius.com) kirjoitti:
On Sep 11, 2023, at 12:56 PM, Simo Tappola <simo.tappola@gmail.com> wrote:
a FreeRADIUS newbie here, with a (hopefully) basic question: I am struggling to figure out how to use freeradius-client as NAS/authenticator when authenticating a supplicant to freeradius-server.
The short answer is you don't. The freeradius-client library is intended to do RADIUS. EAP is substantially more complex.
If you need to implement EAP, then I would suggest looking at hostap / wpa_supplicant. It has a large set of EAP methods available, and is very well documented. It even has a basic RADIUS client which is used in the eapol_test program.
I re-read my original post and realised I may have given an impression that I am implementing the supplicant part, while in reality I am working on the NAS/authenticator. The supplicant(s) is/are just black boxes for now, although later it might be feasible to transfer also custom data from the authenticator to supplicants, which, in my admittedly limited understanding, should be possible with EAP. That's also why piggy-backing the EAP packets inside RADIUS frames seemed like a clever option. Wireshark also decoded the frames - including embedded EAP packets - correctly. Which library/component would be your recommendation in the authenticator device? I don't particularly *want* to write any code, but at least some amount of customization seems unavoidable.
I have to ask why you're writing yet another EAP library. There's already source code available in hostap.
Plus, EAP-MD5 isn't any better than CHAP. It's 99.9% CHAP, but just wrapped in an EAP layer. It adds complexity for no additional benefit.
So rather than talking about technical details, perhaps you can explain why you need to do EAP, and why you're re-implementing EAP.
Learning, that's the short answer. I've only just begun dabbling on this and don't really know what I'm doing yet. So for now this is mainly a research project, and MD5 seemed like a reasonably simple first try. Ultimately, PEAP/TLS is probably the way to go, but I would first like to understand the (best, hopefully, or at least good) options I have in the authenticator. Regards, Simo