freeradius support eap-fast?

Josh Howlett Josh.Howlett at ja.net
Tue Nov 27 14:42:26 CET 2007


 
Alan wrote:
> Josh Howlett wrote:
> > I saw this :-). I had a question: EAP-TNC is intended to be 
> bound to 
> > any tunneled EAP method but the last time I looked at the code the 
> > FreeRADIUS EAP state machine did not appear to support binding 
> > consecutive EAP methods in sequence to an arbitrary 
> tunneled EAP method.
> 
>   I'm not sure what that means... Does EAP-TNC go inside of a 
> tunneled method, or does it tunnel other methods?

It normally tunnels inside other methods.

>   If it goes inside of a tunneled method, then there's no 
> problem.  PEAP and TTLS already support tunneling EAP types.  

Sure, but do the FreeRADIUS PEAP and TTLS implementation support running
an EAP method for AuthN followed immediately by EAP-TNC within the same
tunnel?

The original EAP RFC (2284) didn't explicitly prohibit method
sequencing. However, this was obseleted by RFC 3748 which does prohibit
sequencing authentication methods (where this is defined as Type > 4,
excepting Notification).

Of course, an EAP method itself is free to do what it likes; so both
PEAP and TTLS support sequencing (although this isn't implemented much).

The difficulty that I saw when I looked at the code, IIRC, is that
FreeRADIUS re-uses the same functions (and therefore the same
assumptions of what is permitted and what isn't) for the 'outer' EAP
session as it does for the 'inner' session.

Did that make sense :-) ?

> > Does this EAP-TNC implementation therefore require the use of a 
> > specific tunneled EAP method, or have there been some 
> improvements to 
> > the EAP state machine to support this flexibility?
> 
>   If EAP-TNC can go only inside of TTLS/PEAP, then the code 
> likely needs to be updated to check for that, and enforce 
> that requirement.

That's not a requirement, but a likely deployment scenario. EAP-TNC has
no transport security, and depends on the transport layer for
confidentiality, etc.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG





More information about the Freeradius-Users mailing list