OpenLDAP+FreeRadius Encryption

Alan DeKok aland at
Wed Feb 3 18:41:05 CET 2016

On Feb 3, 2016, at 12:31 PM, Greg Mischel Smith <gregms at> wrote:
> Honestly, I haven't looked much at EAP-TTLS yet, but am starting to.
> If I understand correctly, this tends to be more certificate based
> authentication.

  No.  EAP-TLS requires client certs.  EAP-TTLS does not.

> We have a lot of personal cell phones. My presumption
> would be that we would have to load certificates onto these devices,
> is that correct?


> If that will get us around our problem, I'm open to
> that, but prefer not due to complexity.  I'm just starting to look for
> documentations suggesting how to do this. It would be going through a
> Cisco WLC. I'm seeing EAP-TLS option on the WLC, but nothing specific
> with EAP-TTLS.

  You shouldn't need to configure the access point for EAP-TLS versus EAP-TTLS.  They should all just work.

> And in all honesty, if freeradius isn't the best solution for what
> we're trying to do,

  FreeRADIUS is a RADIUS server.  It doesn't manage 802.1X configurations on user machines.

  FreeRADIUS does more, and is more flexible than any commercial RADIUS server.

> if we need to purchase something like Cisco ACS,
> that would be on the table, I just know having OpenLDAP with plaintext
> passwords just isn't an option (even with ACL's on them).

  That table outlines the limitations for *all* RADIUS servers.  These limitations are determined by the authentication method, not by the RADIUS server implementation.

  You will run into identical limitations with ACS.  Their sales people may lie to you, but we won't.

  Alan DeKok.

More information about the Freeradius-Users mailing list