Hi All, I want to configure free-radius to handle a simple EAP described below. 1. Radius receives a IDENTITY message. The IDENTITY message contains a encrypted certificate. 2. The server decrypts and validates the Certificate and send out a EAP-Success or EAP-Failure. Is there any way i can configure freeradius to achieve this flow or would i have to modify the code. As i understand the standard flows are much more complicated(with challenge), which i dont want. Thanks & Regards, Shiv
Why exactly do you want to do this instead of using standardized EAP- TLS? You'll have to write your own code upates to FreeRADIUS, and I know of *no* supplicants that will operate in this fashion. Seems like a lot more trouble than using what's already there, especially when you get into situations like where the certificate won't fit into one EAPOL packet, which is constrained by the MTU. --Mike On Mar 7, 2007, at 12:53 PM, Diameter K wrote:
Hi All, I want to configure free-radius to handle a simple EAP described below.
1. Radius receives a IDENTITY message. The IDENTITY message contains a encrypted certificate. 2. The server decrypts and validates the Certificate and send out a EAP-Success or EAP-Failure.
Is there any way i can configure freeradius to achieve this flow or would i have to modify the code. As i understand the standard flows are much more complicated(with challenge), which i dont want.
Thanks & Regards, Shiv
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Hi Mike/Josh, Thanks for your replies. Please see my responses below. On 3/8/07, Michael Griego <mgriego@utdallas.edu> wrote:
Why exactly do you want to do this instead of using standardized EAP- TLS? Ok I will check if i can use EAP-TLS.
You'll have to write your own code upates to FreeRADIUS, and I know of *no* supplicants that will operate in this fashion. Seems like a lot more trouble than using what's already there, especially when you get into situations like where the certificate won't fit into one EAPOL packet, which is constrained by the MTU.
Say if i use EAP-TLS then is the NAS supposed to store the certificate of the supplicant. I think the certificate must alway come from the supplicant. But then if we have a problem with the MTU, then supplicant stored certificates cannot be used with EAP-TLS.
--Mike
On Mar 7, 2007, at 12:53 PM, Diameter K wrote:
Hi All, I want to configure free-radius to handle a simple EAP described below.
1. Radius receives a IDENTITY message. The IDENTITY message contains a encrypted certificate. 2. The server decrypts and validates the Certificate and send out a EAP-Success or EAP-Failure.
Is there any way i can configure freeradius to achieve this flow or would i have to modify the code. As i understand the standard flows are much more complicated(with challenge), which i dont want.
Thanks & Regards, Shiv
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Diameter K wrote:
Say if i use EAP-TLS then is the NAS supposed to store the certificate of the supplicant.
No.
I think the certificate must alway come from the supplicant. But then if we have a problem with the MTU, then supplicant stored certificates cannot be used with EAP-TLS.
No. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Diameter K -
Michael Griego