EAP-TTLS/PAP -> LDAP for WPA2

John Allman allmanj at cp.dias.ie
Thu Jul 6 22:02:35 CEST 2006 

A.L.M.Buxey at lboro.ac.uk wrote:
>> The EAP-Message doesn't appear to be encrypted on the initial packet
>> from the ap to the server. Inside i see Type and Identity (containing my
>> username. The username is also in the User-Name attribute)
>>     
>
> that'll be your outer identity... which, as it is plain to see (pun definately 
> intended folks), is why many people use some anonymous identity for
> protection..why give away some of your credentials? - eg anonymous at your.home.realm.com
>   
Hmmm. Well, in the first packet i see the Identity in the EAP-Message,
but the User-name attribute is in every packet sent by the AP. How would
i go about using an anonymous identity? Would that be up to the wireless
client configuration? It would be quite important for me to hide this.
If i'm understanding you correctly, the User-name attribute and the
Identity field in the EAP-Message attribute have nothing to do with
authentication which is all enclosed (including the username) in PAP
which is encrypted  inside EAP-TTLS? If i could just get this fixed, i
think i'd be happy with my setup...

> authenticate = yes, you are who you are
> authorize = should you be using this? do we perhaps change the service you get (eg VLAN)
>
> if you've allowed people to talk to the RADIUS server, then they can...this is why
> you have eg the clients.conf (or clients SQL) to define *WHAT* NAS can talk to RADIUS
> server and what secret key they must have to talk to it. you can define whatever
> type of authentication that FR supports...depending on the eg username... 
>   

This certainly helps me understand, but it would be nice to get a more
complete understanding. I don't want to hassle you by continually asking
you questions until i get it - can you point me to somewhere i can read
up on this and understand. For example, it confuses me that there is an
ldap, eap and pap section in the authorize section, but pap is to be
used exclusively inside eap with the client and ldap is to be used
exclusively with the backend server.

Thanks for your help,

John

More information about the Freeradius-Users mailing list