EAP-TTLS/EAP-TLS with freeRADIUS

[Mr Dash Four]

> Why don't you try reading about EAP and 802.1X too?
>   
I did.

>> Interesting, noted. It would be nice if this works in a similar way as the SSL handshake works - this is very secure, tested and already established in the real world.
>>     
>
> Of course it does, it's using TLS...
Thank you.

>  You think the RADSEC guys are going to mess with it just because it's used for transporting RADIUS packets?
>   
Where did I said or implied that? Touche!

>> OK, my understanding of EAP-TTLS/EAP-TLS is that the authentication happens in two distinct stages: the first stage (EAP-TTLS) is the outer authentication where the server presents its credentials/certificate to the client and then the secure channel is established. Phase two (EAP-TLS in my case) is where the client - via its client certificate - is actually authenticated to the RADIUS server. Now, I was hoping that the AP does this in a similar sort of way when authenticating itself to the RADIUS server, but it seems that is not the case and this is indeed a weak point.
>>     
>
> No the NAS (It can be a WAP, VPN concentrator, Switch, Router, Terminal Server) - Does not use EAP-TTLS or any EAP based authentication method to communicate with the RADIUS server directly.
>
> As previously mentioned RADSEC does what you're asking. There's also plans for a DTLS transport layer (http://tools.ietf.org/html/draft-dekok-radext-dtls-03).
>
> But neither have been implemented by NAS vendors yet. If you want to have a secure channel of communication between the RADIUS server run the UDP packets through a VPN, or implemented a local proxy on the NAS to translate between UDP and RADSEC.
>   
Tunnelling is something I might consider as an alternative, thanks again 
for the explanation.

>  Additionally, if you're using EAP-TTLS-TLS, why do you need the RADIUS communications to be secure? The sensitive data is already encrypted. In fact why are you using EAP-TTLS-TLS unless you're transporting something extra in the TTLS tunnel? Seems sort of pointless to me...
>   
Well, my understanding is that the communication between AP and RADIUS 
is not encrypted, isn't that so?

>> My question still remains though  - since this is a two-phase authentication, two distinct sets of (ca, server, client) certificates can be used. How do I specify these in RADIUS?
>>     
>
> raddb/modules/eap.conf - You can specify the signing CA for peer certificates for EAP-TLS.
>
> You can use two instances of the module, one for outer and one for inner if it helps you understand the concept any better.
>   
Yep, that seems like a good plan - Phil Mayers was kind enough to 
explain it to me. I'll probably do a bit of digging before delving in 
with RADIUS myself.