Phil Mayers p.mayers at imperial.ac.uk
Sun Nov 27 10:35:32 CET 2011

On 11/26/2011 11:49 PM, Mr Dash Four wrote:
>>> so it is, you can only protect your AP client with the shared secret
>>> key.
>> Not necessarily. If the switch to which the WAP is connected supports
>> 802.1x, it could act as a NAS and authenticate the WAP with EAP/TLS.

> By WAP I take it you mean the wireless client, right? If so, this is

No. WAP == Wireless Access Point.

> indeed the case - the client will be a Linux-based device with
> wpa_supplicant and a driver which supports nl80211/cfg80211, so I can
> configure - at least on the client's part - EAP-TTLS/EAP-TLS
> authentication. My aim is to do the same on AP and RADIUS, which is the
> point of actually starting this thread as my "experience" with RADIUS is
> nil.

So you keep saying. I note however that it doesn't stop you from making 
judgements on its security, and you're getting a lot of stick for that 
(from me and others).

Seriously - it's good you want to learn. But why not do that first, then 
ask questions based on the knowledge you've acquired and, hopefully, 
understood? If you're missing basic terms like "WAP" i.e. a Wireless 
Access Point, then I've got to say, you've got some work to do on the 

In brief, Ian was suggesting it's possible for the wireless AP to act as 
an 802.1x client to the upstream ethernet switch (if that's the 
topology). This is correct, but not IMO relevant to your concerns 
(however misguided) or questions.

More information about the Freeradius-Users mailing list