EAP-TTLS/EAP-TLS with freeRADIUS

Mr Dash Four mr.dash.four at googlemail.com
Sun Nov 27 17:29:34 CET 2011 

>> MD5 is broken.
>
> Thanks for the public service announcement.
Pleasure!

> Do you seriously think the IETF, and the people responsible for RADIUS 
> protocol evolution, aren't aware of this?
>
> Seriously, what would you like us to do exactly? Travel back in time 
> to the mid 1990s and re-do the first RADIUS implementations with 
> end-to-end pluggable crypto, and at the same time arrange for the 
> Wassenaar agreement to be revoked?
>
> If you want better security than that provided by the shared secret, 
> you're free to arrange it between your NAS and your radius server. 
> Some places use IPSec for this purpose, or things like OpenVPN.
Up until yesterday, I wasn't aware that the only way AP/NAS can 
communicate with the RADIUS is via unencrypted channel. That's fair 
enough, I suppose, once I know what I am up against I will take the 
appropriate actions/measures to mitigate the possible security 
implications and reduce the risks, if I can. I wasn't making a "public 
announcement", it was merely an observation - stop being so precious!

> HOWEVER - before you do that, and before you make any more 
> announcements on how insecure RADIUS is, perhaps you could actually 
> put some time and effort into understanding the protocol. You are 
> missing two critical bits of info:
>
> [...]
>
> Is the shared secret ideal? No. Is RADSEC better? Yes. Do any NAS 
> vendors support it? No. Can we afford to stop using RADIUS? No.
Thank you - if I knew where to look for this information, I would have 
done it ages ago.

>> The question is - how do I specify the CA, CA2, server certificate/key
>> and server certificate/key second pair (for phase two) in RADIUS?
>
>
> Specify two different instances of the eap module. There is an example 
> of this in the default configs in recent 2.1.x versions - see 
> raddb/modules/inner-eap. Once you've done that, use the 2nd module 
> inside your inner-tunnel, like so:
Thanks again, I wasn't aware that I could have inner/different 
instances. Apart from the various, rather scattered, files with sample 
configuration examples is there a more comprehensive manual which 
includes (and explains) all these options? I'd rather read those than 
relying on jamooks like DeCock to explain it all to me (or not, as it 
may be the case here)?

More information about the Freeradius-Users mailing list