EAP-TTLS/EAP-TLS with freeRADIUS
Mr Dash Four
mr.dash.four at googlemail.com
Sun Nov 27 01:51:32 CET 2011
> No, the shared secret is not transmitted over the wire.
>
> For additinal information see RFC2865, §2:
>
> "When a password is present, it is hidden using a method based on the
> RSA Message Digest Algorithm MD5. (see RFC131).
>
MD5 is broken.
>> My question still remains though - since this is a two-phase
>> authentication, two distinct sets of (ca, server, client) certificates
>> can be used. How do I specify these in RADIUS?
>>
>
> Which distinct set of certificates?
>
OK, for the first phase (EAP-TTLS) there is the CA certificate, server
certificate/key and, optionally, the client certificate/key
(fetched/presented on request if I configure this on the client side).
For the second phase (EAP-TLS) - there is, again, the CA certificate,
the client certificate/key (which is used to actually authenticate the
client) and the server certificate/key. For this second phase the CA,
server certificate/key as well as client certificate/key may be
different (they can be configured to be different - at least that is how
it is done on the client side with wpa_supplicant.conf).
The question is - how do I specify the CA, CA2, server certificate/key
and server certificate/key second pair (for phase two) in RADIUS?
> The server certificate and key is configured via eap.conf.
>
As far as I can see in eap.conf I can only configure *one* CA (CA_file)
and one server certificate/key ("certificate_file", "private_key_file" &
"private_key_password" options) - all via "tls {}". So, there is no room
for one of the phases - unless I am missing something obvious. If I want
to use a different CA_file and different server certificate/key for the
other phase how do I do that in RADIUS?
To illustrate my point a bit more clearly - in wpa_supplicant.conf (on
the client side) I can specify the following parameters with regards to
EAP-TTLS/EAP-TLS:
proto=WPA2
key_mgmt=WPA-EAP
auth_alg=OPEN
eap=TTLS
# Phase 1 / outer authentication
ca_cert="/etc/cert/ca_p1.pem"
subject_match="/C=US/ST=CA/L=San Francisco/CN=Test
AS/emailAddress=ap_server at example.com"
altsubject_match="EMAIL:ap_server at example.com;DNS:dns.example.com;DNS:dns2.example.com"
client_cert="/etc/cer/user_p1.pem"
private_key="/etc/cer/user_p1.key"
private_key_passwd="password"
# Phase 2 / inner authentication
phase2="autheap=TLS"
ca_cert2="/etc/cert/ca_p2.pem"
subject_match2="/C=US/ST=CA/L=San Francisco/CN=Test2
AS/emailAddress=ap_server2 at example.com"
altsubject_match2="EMAIL:ap_server2 at example.com;DNS:dns.example.com;DNS:dns2.example.com"
client_cert2="/etc/cer/user_p2.pem"
private_key2="/etc/cer/user_p2.key"
private_key2_passwd="password2"
So, on the client side I could configure two sets of the
keys/certificates required. How do I do that with RADIUS?
Also, how do I actually configure/specify the user authentication
certificate? I need to be able to authenticate user by the various
certificate attributes (CN, Subject etc) - in both phases!
More information about the Freeradius-Users
mailing list