Authenication with certifiactes

Scott Armitage S.P.Armitage at lboro.ac.uk
Tue Jul 3 10:54:03 CEST 2012


On 3 Jul 2012, at 09:16, Andreas Meyer wrote:
> 
>> 
>>> Where can I read what other possibilites there are to authorize a client
>>> for an AP using a radiusserver as backend.
>> 
>> it depends what you want to do. you were talking about authenticating
>> using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS)
>> which means the client uses a certificate
> 
> OK
> 
> I wonder what other possibilities than certificates there are to authorize
> a client to a network using WLAN. Like Hotspots, internet cafes and hotels
> for example. I mean, handing over a certifacte to a client on an USB-stick
> seems unpracticable to me.

In the world of EAP certificates are needed.  For EAP-TLS based methods you need a certificate to identify the RADIUS server.  When you begin an authentication attempt the RADIUS server will pass its server cert to the client, so the client can verify it is talking to a legitimate RADIUS server.  Without the server cert, how do you know you are talking to your RADIUS server and not some rogue.  

Aside from the server cert you can also have client certs, which are used to identify the client to the server.  However you don't have to use client certs, you can use other authentications e.g. username / password The most common password based authentications are MSCHAPv2 and PAP.  Of course these authentications need to be
wrapped in a secure tunnel, so will be inside of an EAP-TLS method e.g. PEAP or TTLS

PEAP/MSCHAPv2
TTLS/PAP
TTLS/MSCHAPv2

Out of the box without any config FreeRADIUS will do PEAP.  With a fresh install all you need to do is add a user password to raddb/users e.g.

joe  NT-Password := "ABCDEF1234567890ABCDEF1234567890"
       Reply-Message = "Hello, %{User-Name}"

andy Cleartext-password := "p4ssw0rd"
      Reply-Message = "Hello, %{User-Name}"	



Run radiusd -X, try and authenticate and look at what is happening.  


Without wanting to confuse you too much, there is also a new EAP method called EAP-PWD which doesn't use any certificates.  This has very limited support in clients at the moment so isn't very practical.  It uses some crazy cryptography which avoids to need for certs.


For some more background on deploying 802.1X have a read of this (http://www.ja.net/documents/publications/technical-guides/8021x-tg-web.pdf)


Thanks

Scott Armitage

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120703/d55f7694/attachment.pgp>


More information about the Freeradius-Users mailing list