Hi, On Sat, Jan 12, 2019 at 03:29:08PM +0530, shivu prasad wrote:
Thee module is working fine as the part of hardening I thought of enabling the SSL(server certs) so that all client request to server and server to clients go via this SSL.
Not exactly sure I follow, but if you wish to encrypt the connection between clients and the radius server, you need to use PEAP or EAP-TTLS. They are very similar in what they achieve. Basically, PEAP is to EAP what HTTPS is to HTTP. Inside the PEAP or TTLS "tunnel" happens the real radius authentication. Just have a look at mods-available/eap, in particular the PEAP {} section. There's a configuration option called inner_tunnel. Inner_tunnel specifies the server configuration that is to be used inside the PEAP connection, that would otherwise be unprotected.
Is Configure the SSL between radius server and clients is required?
It is not required, but if the communication between the radius server and the clients can be intercepted, such as is the case with WIFI, then it's a really good idea to enable encryption. The EAP-PWD authentication method works encrypted but doesn't require any certificates/TLS setup to be configured, as it uses other means to securely exchange the passphrase; however, it's not yet supported by all platforms and only works with pre shared passphrases. HTH a bit, HC