freeradius eap-ttls user/pass + cert

Matthew Newton mcn4 at leicester.ac.uk
Thu Feb 23 23:38:48 CET 2012 

On Thu, Feb 23, 2012 at 08:43:09PM +0000, vw58t1 at yahoo.no wrote:
> On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
> > 2. configured ttls/server cert password in eap.conf and everything worked
> > fine. Then I read somewhere that username/password authentication alone is
> > not secure as some information is passed in clear text?!
> 
> You need to decide what auth methods you want to support.
> 
> PAP on its own sends the password in clear-text.
> 
> Sounds like you are trying to set up EAP-TTLS/PAP, which means
> that the password is now inside a TLS tunnel, so no longer
> clear-text on the wire.
> 
>     I choose the TTLS because it's widely supported and might be used either with or without certificates.
>     I would like to use username/password to securely authenticate users, that is encrypted username/password.
>     You mean it's enough to only activate ttls as eap method in eap.conf and add a user to users file? isnt     username tranferred in clear text?

If you enable pap in the default (outer) server, you will be able
to authenticate with pap and clear-text passwords.

If you only put pap in the inner-tunnel server, then it will have
to be encrypted with the TTLS tunnel first.

You can never stop a misconfigured client sending a clear-text
password, of course... but you at least won't authenticate it.


>         Yes, but it aslo works without ":" and can only be
> applied to default-file, applying to inner-tunnel makes no    
>           difference at all.

Setting this in the inner-tunnel is too late. The TLS tunnel is up
by then.

Either = or := in this situation should be fine. := will force it
to be set; = will not change the value if the attribute already
exists.


> If you want to use certificates for authentication then you're
> probably best to just use EAP-TLS (not TTLS).
> 
>         I would not want to use TLS as it requires full PKI with
> both ca, server and client - certificates

By wanting to use client certificates with TTLS, you're
essentially asking for the same thing.

So - back to my original statement: You need to decide what auth
methods you want to support.

If you just want to ensure your passwords are not clear, then use
EAP-TTLS (or PEAP), with e.g. PAP in the inner, and forget about the
client certificates (remove EAP-TLS-Require-Client-Cert = Yes).

If you want to authenticate with passwords, *and* force client
certificates ("full PKI"), then you will need
EAP-TLS-Require-Client-Cert = Yes, and you'll have to get the CA
on both client & server, and issue certificates to both. You'll
then need to manage a CA with issuing certificates to all your
clients (which had better support TTLS with client certificates),
etc.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list