EAP-TTL Proxy LDAP

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Wed Mar 5 21:27:31 CET 2008


Hi,

> PC 1: Supplicant.Access by networkManager.
> The crendential are: login= david at i2t passwd=david EAP=TTLS phase2=PAP
> PC 2: HostAP. It's correctly configured and works fine.
> PC 3: Proxy Freeradius. It has got a realm i2t defined, and proxyes the
> access requests to de PC4.
> PC 4: Final Freeradius. It contains the credential for the users of the
> i2t realm stored on a LDAP directory.
> 
> The interconections between the PCs is this one:
> 
> PC1 <-----> PC2 <-----> PC3 <-----> PC4

thankyou for your clear documentation.  

as for your answers. the EAP is terminated on PC4 - thus the certificates
need to be on PC4. PC3 is only a proxy server for the outer realm ID "i2t"

> The conections between PC1&PC2 and PC2&PC3 are encrypted. But, what
> about PC3&P4? Is also a secure comunication?

PC3 to PC4 will be protected via the RADIUS shared secret 

> Once the tunnel has been created, what type of authentication method
> shall I use?

any that you can support.

> Can I afford to use PAP with an LDAP direcotry at the backend PC?
> CHAP? GTC?

PAP is easy - but you could use eg MD5 or MSCHAPv2 - so long as
the LDAP contains the correct password format available for FR to
read (eg MD5 password or NT-hased password for challenge-response)

alan



More information about the Freeradius-Users mailing list