User + X Authentication

Raz Muhammad raz.muhammad at cerberusnetworks.co.uk
Wed Sep 21 11:10:58 CEST 2011


Thanks Chris.
This what I would have gone for, but a quick google search for EAP/TLS capable DSL router, does not really return any feasible router. This is mostly used/deployed on WiFi networks, using APs, or WiFi clients.
Are you aware of any DSL router which can use EAP/TLS with PPP? I know that PPP can use EAP/TLS for authentication as well, but I presume PPP on the CPE must be told to use a specific authentication protocol, and on most CPEs the options are CHAP, PAP.

Regards
Raz

From: freeradius-users-bounces+raz.muhammad=cerberusnetworks.co.uk at lists.freeradius.org [mailto:freeradius-users-bounces+raz.muhammad=cerberusnetworks.co.uk at lists.freeradius.org] On Behalf Of Christ Schlacta
Sent: 21 September 2011 06:54
To: freeradius-users at lists.freeradius.org
Subject: Re: User + X Authentication

If you've got sufficient control over CPE and CPE is all sufficiently capable, you should be doing EAP-TLS authentication anyway.  if CPE is compromised, you can simply reflash, replace the credentials, and revoke the old ones.

On 9/20/2011 04:18, Raz Muhammad wrote:
Hi,

We are successfully running the following version on our network for our DSL users.

FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.

FreeRADIUS was compiled with MySQL and radcheck is used for authentication along with other relevant tables.
We recently had a scenario where security of a CPE is a concern, and using PPP authentication is not enough. Someone suggested using Routers mac address along with PPP username/password authentication. But this method would relay on getting the router Mac address during the PPP negotiation, and it might be coming via the calling-station-id attribute, some suggestions are about using EAP and certifcates on the router.
I would like to find out what would be the best way to go for extra layer of authentication based security while using FreeRADIUS? and how can that be done with MySQL?

Regards
Raz





-

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110921/03be8729/attachment.html>


More information about the Freeradius-Users mailing list