EAP-TLS and random_file

Alan DeKok aland at deployingradius.com
Mon Feb 10 18:48:48 CET 2014

Gregory Sloop wrote:
> In many of them, the random_file is a pre-generated random set of
> data.
> Knowing what [modest amount] I do, this seems like an incredibly bad
> idea. [At least with a functional random number generator at your
> disposal.]


> There is at least one newer one using /dev/urandom [pseudo-random]. The
> stock eap.conf file in Ubuntu also does this.
> I'm curious about why it would have ever been a pre-generated set of
> bits, which essentially have no entropy once they're given out/used -
> because they're not random any more, they're predictable.

  It's historical.

> If some kind soul would give me the trivia edition of why this was
> a common solution, I'd be grateful. [Or school me, nicely or course,
> about why you think it's an "Ok" practice.]

  It's not.

  Alan DeKok.

More information about the Freeradius-Users mailing list