EAP-TTLS not working

Stefan Winter stefan.winter at restena.lu
Thu Nov 3 09:17:14 CET 2016


> yes I tried to use a TTLS-PAP profile and it worked without any
> reconfiguration.
> I dont like the thought of having weak passwords in LDAP at all and on
> the other hand TLS on radius clients can also not be made 100% secure.
> So I guess my next steps is to go for client certs for the people with a
> lot of permissions on systems.

When using passwords, there is no good solution.

PAP exposes the password to an attacker as soon as the user is negligent
and "clicks accept" to an unknown server warning. But in exchange, you
can use more advanced hashing techniques on your database backend; e.g.
salted SHA-512 would work for password backend storage.

MSCHAPv2 transmits the password in not-quite-cleartext (but really do
not have any illusions that this is proper security); but in exchange,
you need to store the passwords in your DB in either cleartext or
NT-Hash format.

If you need more than that, a more recent choice with passwords (but
without the opportunity to "click accept" at all) is EAP-pwd. Or if you
do make the leap to client certs, EAP-TLS. That's about all the options
you have.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20161103/ebb4d3a5/attachment-0001.sig>

More information about the Freeradius-Users mailing list