Authenticator -to- RADIUS connection

Alan DeKok aland at
Tue Oct 5 16:34:52 CEST 2021

On Oct 5, 2021, at 9:51 AM, Turner, Randy <Randy.Turner at> wrote:
> I wasn’t playing peek-a-boo and I didn’t use the phrase “like TLS’, my first question was pretty straightforward.

  It was vague, and based on a vague / incorrect understanding of how RADIUS works.

  i.e. " I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…"

  Because RADIUS doesn't work that way.  This should be a hint... there is no way to do X, because X is impossible.

  When you ask questions based on wrong assumptions, it it's very difficult to answer the questions, for example:

Q: How do I add pumpkins to my cars gas tank
A: Huh?  that makes no sense

  At which point people usually get angry and say "I'm just asking a simple question, why can't you answer it?"

>   We were just trying to understand if we could use something other than a username/password for the authenticator to authenticate to RADIUS.

  The documentation has a long list of authentication methods it supports, as you found.  Which answers your question.

  But in the end, none of this matters.  "I want to use TLS" is not a useful requirement.   Because what matters is what the client / end-user device supports.

  Can you do PAP over WiFi?  No, it's impossible.

  Can you do EAP-TLS in some situations?  No, it's not always possible.

  If you want to use a different authentication type, then read the documentation for the RADIUS client and/or the end user device.  See what they support, and the configure them to use your favourite authentication type.

  Asking if "FreeRADIUS" supports it is completely backwards.  FreeRADIUS doesn't control what the end user device does.  In order to configure the end user device, you need to read the documentation for the end user device.

  It's that simple.

  Alan DeKok.

More information about the Freeradius-Users mailing list