Request Help On setting up SSL using external server certs on freeradius

Hans-Christian Esperer hc at
Sat Jan 12 12:46:14 CET 2019


On Sat, Jan 12, 2019 at 03:29:08PM +0530, shivu prasad wrote:
> Thee module is working fine as the part of hardening I thought of enabling
> the SSL(server certs) so that all client request to server and server to
> clients go via this SSL.

Not exactly sure I follow, but if you wish to encrypt the connection between
clients and the radius server, you need to use PEAP or EAP-TTLS. They are very
similar in what they achieve.

Basically, PEAP is to EAP what HTTPS is to HTTP. Inside the PEAP or TTLS
"tunnel" happens the real radius authentication.

Just have a look at mods-available/eap, in particular the PEAP {} section.
There's a configuration option called inner_tunnel. Inner_tunnel specifies the
server configuration that is to be used inside the PEAP connection, that would
otherwise be unprotected.

> Is Configure the SSL between radius server  and clients is required?

It is not required, but if the communication between the radius server and the
clients can be intercepted, such as is the case with WIFI, then it's a really
good idea to enable encryption.

The EAP-PWD authentication method works encrypted but doesn't require any
certificates/TLS setup to be configured, as it uses other means to securely
exchange the passphrase; however, it's not yet supported by all platforms and
only works with pre shared passphrases.

HTH a bit,

More information about the Freeradius-Users mailing list