EAP-TTLS/EAP-TLS with freeRADIUS
Sven Hartge
sven at svenhartge.de
Sun Nov 27 00:07:13 CET 2011
Mr Dash Four <mr.dash.four at googlemail.com> wrote:
>>> After reading various howto's and documentation as well as looking
>>> at numerous sources on the Internet, I can't see a way in which the
>>> AP is authenticated to the RADIUS server by using only its
>>> certificate attributes (CN, Subject, Issuer etc) - it seems that
>>> freeRADIUS always needs some sort of "password" or "shared secret"
>>> specified.
>> so it is, you can only protect your AP client with the shared secret
>> key.
> In other words, EAP-TTLS/EAP-TLS isn't actually supported in
> freeRADIUS?
It is. I believe you misunderstood how RADIUS works.
The connection between the AP (called NAS in RADIUS) and the
RADIUS-Server is only protected by the shared secret configured in
clients.conf.
Yes, this is kind of weak. And because of this weakness a protocol like
RADsec has been developed, which is essentially
RADIUS-with-SSL-over-TCP, thus providing strong encryption of the whole
RADIUS session.
So far I have not seen any devices like APs, Dial-in-Servers, etc.
support RADsec. But this is normally no problem, since those devices are
usually located in a safe network with the RADIUS server.
RADsec for example is used in the Deutsche Forschungsnetz (DFN), to
secure inter-university RADIUS connections over the Internet to
authenticate Eduroam users.
Back to EAP-(T)TLS:
The connection between a connecting device such as a laptop, which
connects to a NAS, can be secured via EAP-(T)TLS, which is a protocol
transported via RADIUS packets.
This of course is supported by FreeRADIUS since ages.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
More information about the Freeradius-Users
mailing list