At first, goodevening to eveone. I am simulating an authentication plataform. The situation is this one: PC 1: Supplicant.Access by networkManager. The crendential are: login= david@i2t passwd=david EAP=TTLS phase2=PAP PC 2: HostAP. It's correctly configured and works fine. PC 3: Proxy Freeradius. It has got a realm i2t defined, and proxyes the access requests to de PC4. PC 4: Final Freeradius. It contains the credential for the users of the i2t realm stored on a LDAP directory. The interconections between the PCs is this one: PC1 <-----> PC2 <-----> PC3 <-----> PC4 I have got some conceptual questions: I generated some certificates in PC3, and when I do the suply in PC1, I set the certificate of PC3. Is this correct? Or should I do it with a certificate of PC4? The conections between PC1&PC2 and PC2&PC3 are encrypted. But, what about PC3&P4? Is also a secure comunication? Could anyone explain how should it work? Once the tunnel has been created, what type of authentication method shall I use? Can I afford to use PAP with an LDAP direcotry at the backend PC? CHAP? GTC? Lots of thanks! I hope you have a good day.
Hi,
PC 1: Supplicant.Access by networkManager. The crendential are: login= david@i2t passwd=david EAP=TTLS phase2=PAP PC 2: HostAP. It's correctly configured and works fine. PC 3: Proxy Freeradius. It has got a realm i2t defined, and proxyes the access requests to de PC4. PC 4: Final Freeradius. It contains the credential for the users of the i2t realm stored on a LDAP directory.
The interconections between the PCs is this one:
PC1 <-----> PC2 <-----> PC3 <-----> PC4
thankyou for your clear documentation. as for your answers. the EAP is terminated on PC4 - thus the certificates need to be on PC4. PC3 is only a proxy server for the outer realm ID "i2t"
The conections between PC1&PC2 and PC2&PC3 are encrypted. But, what about PC3&P4? Is also a secure comunication?
PC3 to PC4 will be protected via the RADIUS shared secret
Once the tunnel has been created, what type of authentication method shall I use?
any that you can support.
Can I afford to use PAP with an LDAP direcotry at the backend PC? CHAP? GTC?
PAP is easy - but you could use eg MD5 or MSCHAPv2 - so long as the LDAP contains the correct password format available for FR to read (eg MD5 password or NT-hased password for challenge-response) alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
amarquez001@ikasle.ehu.es