Freeradius + mysql + openssl certificates?

John Dennis jdennis at redhat.com
Thu May 6 15:47:45 CEST 2010 

On 05/06/2010 03:17 AM, shirkavand wrote:
> Hi,
>
> Can i use freeradius + mysql + ssl certficates at the same time for
> autenticating users...or this does not make sense? I am a bit confused
> if i have to use one of them(mysql or ssl certificates) for
> autentication purposes.
>
> I have read tutorials for using freeradius + mysql OR freeradius + ssl
> certificates. In "freeradius + mysql" tutorial explains how to make the
> autentication using mysql... so the passwords and users are all stored
> inside a mysql db. In the other hand the  freeradius + ssl
> certificates   explains how to make the autentication using a file
> called "users" that stores all the users and paswords.
>
> So i am wondering if i can not make the radius server autenticate users
> using the credential fino from the mysql Db and using certificates
> too..or if each one are different methods to use.

You might be confused as to when certificates are required and for what 
purpose. In the more common case the only certificate needed is for the 
radius server, user authentication occurs via per-user passwords or 
hashes available to the radius server via a secondary store (e.g. SQL 
database, flat file, or LDAP). The server certificate only used to 
secure the communications channel and there is no need to store a 
certificate in a database. However some EAP methods avoid the use of the 
less secure password/hash credential (what is normally stored in a 
database on a per user basis) and instead require a client certificate. 
Client certificates (e.g. a certificate is issued to each user wishing 
to authenticate) are more secure than password/hashes. However the 
requirement for distributing and maintaining client side certificates is 
often considered too much of a logistical burden despite the excellent 
security it provides. When client certificates are used it's still not 
necessary to store any per user certificates in the backend. Why? 
Because in the SSL/TLS protocol when client authentication is requested 
the client sends its certificate to the server which then validates the 
client certificate (after having also validated a client signed 
challenge). The primary requirement here is that CA which signed the 
client certificate is a trusted CA known to the radius server.

The short answer is radius configurations backed by a MySQL database do 
not require storing per user certificates in the database.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeradius-Users mailing list