Request Help On setting up SSL using external server certs on freeradius
Hi Guys, I am trying to achieve below thing. I am written radius module which will do Authentication and authorization with external identity providers. Thee module is working fine as the part of hardening I thought of enabling the SSL(server certs) so that all client request to server and server to clients go via this SSL. I am try to read the documents and even deploying radius ( http://deployingradius.com/) its only talk about tls for *EAP* Auth type. Is Configure the SSL between radius server and clients is required? if required can any one point to how to configure it. Regards, Shivaprasad
SSL between the server and clients? Nothing to do with RADIUS itself. You need to either look at RADSEC for that channel or use SSL VPN between the 2. On Sat, 12 Jan 2019, 09:58 shivu prasad <shivaprasad2452@gmail.com wrote:
Hi Guys,
I am trying to achieve below thing.
I am written radius module which will do Authentication and authorization with external identity providers.
Thee module is working fine as the part of hardening I thought of enabling the SSL(server certs) so that all client request to server and server to clients go via this SSL.
I am try to read the documents and even deploying radius ( http://deployingradius.com/) its only talk about tls for *EAP* Auth type.
Is Configure the SSL between radius server and clients is required? if required can any one point to how to configure it.
Regards, Shivaprasad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi , Depends on the authentication you are using, how your module authenticates ? On Sat, Jan 12, 2019, 5:04 PM Alan Buxey <alan.buxey@gmail.com wrote: > SSL between the server and clients? Nothing to do with RADIUS itself. You > need to either look at RADSEC for that channel or use SSL VPN between the > 2. > > On Sat, 12 Jan 2019, 09:58 shivu prasad <shivaprasad2452@gmail.com wrote: > > > Hi Guys, > > > > I am trying to achieve below thing. > > > > I am written radius module which will do Authentication and authorization > > with external identity providers. > > > > Thee module is working fine as the part of hardening I thought of > enabling > > the SSL(server certs) so that all client request to server and server to > > clients go via this SSL. > > > > I am try to read the documents and even deploying radius ( > > http://deployingradius.com/) its only talk about tls for *EAP* Auth > type. > > > > Is Configure the SSL between radius server and clients is required? > > if required can any one point to how to configure it. > > > > Regards, > > Shivaprasad > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
Hi, On Sat, Jan 12, 2019 at 03:29:08PM +0530, shivu prasad wrote:
Thee module is working fine as the part of hardening I thought of enabling the SSL(server certs) so that all client request to server and server to clients go via this SSL.
Not exactly sure I follow, but if you wish to encrypt the connection between clients and the radius server, you need to use PEAP or EAP-TTLS. They are very similar in what they achieve. Basically, PEAP is to EAP what HTTPS is to HTTP. Inside the PEAP or TTLS "tunnel" happens the real radius authentication. Just have a look at mods-available/eap, in particular the PEAP {} section. There's a configuration option called inner_tunnel. Inner_tunnel specifies the server configuration that is to be used inside the PEAP connection, that would otherwise be unprotected.
Is Configure the SSL between radius server and clients is required?
It is not required, but if the communication between the radius server and the clients can be intercepted, such as is the case with WIFI, then it's a really good idea to enable encryption. The EAP-PWD authentication method works encrypted but doesn't require any certificates/TLS setup to be configured, as it uses other means to securely exchange the passphrase; however, it's not yet supported by all platforms and only works with pre shared passphrases. HTH a bit, HC
On Sat, Jan 12, 2019 at 12:46:14PM +0100, Hans-Christian Esperer wrote:
On Sat, Jan 12, 2019 at 03:29:08PM +0530, shivu prasad wrote:
Thee module is working fine as the part of hardening I thought of enabling the SSL(server certs) so that all client request to server and server to clients go via this SSL.
If by "clients" you mean a NAS or wifi access point that talks to the radius server, then forget everything I just said. I was talking about protecting the connection between clients that need to be authenticated (i.w., wifi clients) and the NAS/access points. -HC
participants (4)
-
Alan Buxey -
arjun sharma -
Hans-Christian Esperer -
shivu prasad