I guess I was thinking about using mutual TLS for the authenticator to authenticate itself to the FreeRADIUS server…rather than a username and password.. R. From: Freeradius-Users <freeradius-users-bounces+randy.turner=landisgyr.com@lists.freeradius.org> on behalf of Alan DeKok <aland@deployingradius.com> Date: Tuesday, October 5, 2021 at 9:33 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Authenticator -to- RADIUS connection On Oct 5, 2021, at 9:29 AM, Turner, Randy <Randy.Turner@landisgyr.com> wrote:
There appears to be numerous modules for allowing RADIUS clients to authenticate in any number of ways…but I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…
For the simple reason that it's impossible. How does a web server control whether the browser does GET / POST / whatever? How does a DNS server control whether the client asks for an A / AAA / NS record? It doesn't. It's impossible. FreeRADIUS supports PAP, CHAP, MS-CHAP, HTTP Digest, EAP, etc. All of this is documented. There is simply no way (outside of very narrow situations) for the server to tell the client "use CHAP and not PAP". Alan DeKok. - List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Crandy.turner%40landisgyr.com%7C3889accc6d6b4e9ed30608d98804c89f%7Cee2cd48b958f4be49852b8f104c001b9%7C0%7C0%7C637690376396083630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1dDpETnEo3kFL0zjvgDPvy5ApwOoLaC2FxQv%2BPIdsXo%3D&reserved=0