Authenticator -to- RADIUS connection

[Turner, Randy]

I guess I was thinking about using mutual TLS for the authenticator to authenticate itself to the FreeRADIUS server…rather than a username and password..

R.

From: Freeradius-Users <freeradius-users-bounces+randy.turner=landisgyr.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Date: Tuesday, October 5, 2021 at 9:33 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Authenticator -to- RADIUS connection
On Oct 5, 2021, at 9:29 AM, Turner, Randy <Randy.Turner at landisgyr.com> wrote:
>
> There appears to be numerous modules for allowing RADIUS clients to authenticate in any number of ways…but I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…

  For the simple reason that it's impossible.

  How does a web server control whether the browser does GET / POST / whatever?

  How does a DNS server control whether the client asks for an A / AAA / NS record?

  It doesn't.  It's impossible.

  FreeRADIUS supports PAP, CHAP, MS-CHAP, HTTP Digest, EAP, etc.  All of this is documented.  There is simply no way (outside of very narrow situations) for the server to tell the client "use CHAP and not PAP".

  Alan DeKok.


-
List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Crandy.turner%40landisgyr.com%7C3889accc6d6b4e9ed30608d98804c89f%7Cee2cd48b958f4be49852b8f104c001b9%7C0%7C0%7C637690376396083630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1dDpETnEo3kFL0zjvgDPvy5ApwOoLaC2FxQv%2BPIdsXo%3D&reserved=0