EAP-TTLS/PAP -> LDAP for WPA2

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Jul 6 19:06:22 CEST 2006


Hi,

> The EAP-Message doesn't appear to be encrypted on the initial packet
> from the ap to the server. Inside i see Type and Identity (containing my
> username. The username is also in the User-Name attribute)

that'll be your outer identity... which, as it is plain to see (pun definately 
intended folks), is why many people use some anonymous identity for
protection..why give away some of your credentials? - eg anonymous at your.home.realm.com

> But (imho) all the write-ups dont really explain what's going on.
> Myself, i don't understand what the authorize section and authenticate
> sections are supposed to do. Could somebody talk to the radius server
> directly without encryption using my settings? Can i specify what kinds
> of authentication i'll accept from users compared to the types of
> backend authentication i can do? I just find it hard to get my head
> around it...

authenticate = yes, you are who you are
authorize = should you be using this? do we perhaps change the service you get (eg VLAN)

if you've allowed people to talk to the RADIUS server, then they can...this is why
you have eg the clients.conf (or clients SQL) to define *WHAT* NAS can talk to RADIUS
server and what secret key they must have to talk to it. you can define whatever
type of authentication that FR supports...depending on the eg username... 

alan



More information about the Freeradius-Users mailing list