Am 26.11.2011 22:04, schrieb Mr Dash Four:
I ma trying to set up freeRADIUS server implementing (wireless) user authentication (running wpa_supplicant) via AP (running hostapd).
After reading various howto's and documentation as well as looking at numerous sources on the Internet, I can't see a way in which the AP is authenticated to the RADIUS server by using only its certificate attributes (CN, Subject, Issuer etc) - it seems that freeRADIUS always needs some sort of "password" or "shared secret" specified.
so it is, you can only protect your AP client with the shared secret key.
Is it possible *not* to use this and rely solely on the strength/culpability (depending on the way one looks at it) of PKI? If so, how do I achieve that? A very simple configuration file example would suffice! In relation to that - another question: the rlm_eap text file (in the doc/ directory) distributed with the source code (I am using 2.1.12) states that "Currently Freeradius supports only 2 EAP-Types (EAP-MD5, EAP-TLS)." (line 78). Is that so?
As for the actual EAP-TTLS/EAP-TLS authentication process I have another query - my understanding of the theory behind this method is that the authentication/authorisation process is done in two distinct phases - outer and inner authentication. This also allows for the use of two distinct sets of (client, server, ca) certificates to be specified in each phase. If that is so, how is this configured/specified in the eap.conf configuration file (or elsewhere)?
Many thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -----END PGP PUBLIC KEY BLOCK-----