Relaying EAP packets with freeradius-client

Simo Tappola simo.tappola at gmail.com
Tue Sep 12 08:07:29 UTC 2023 

ma 11. syysk. 2023 klo 20.44 Alan DeKok (aland at deployingradius.com)
kirjoitti:

> On Sep 11, 2023, at 12:56 PM, Simo Tappola <simo.tappola at gmail.com> wrote:
> > a FreeRADIUS newbie here, with a (hopefully) basic question: I am
> > struggling to figure out how to use freeradius-client as
> NAS/authenticator
> > when authenticating a supplicant to freeradius-server.
>
>   The short answer is you don't.  The freeradius-client library is
> intended to do RADIUS.  EAP is substantially more complex.
>
>   If you need to implement EAP, then I would suggest looking at hostap /
> wpa_supplicant.  It has a large set of EAP methods available, and is very
> well documented.  It even has a basic RADIUS client which is used in the
> eapol_test program.
>

I re-read my original post and realised I may have given an impression that
I am implementing the supplicant part, while in reality I am working on the
NAS/authenticator. The supplicant(s) is/are just black boxes for now,
although later it might be feasible to transfer also custom data from the
authenticator to supplicants, which, in my admittedly limited
understanding, should be possible with EAP. That's also why piggy-backing
the EAP packets inside RADIUS frames seemed like a clever option. Wireshark
also decoded the frames - including embedded EAP packets - correctly.

Which library/component would be your recommendation in the authenticator
device? I don't particularly *want* to write any code, but at least some
amount of customization seems unavoidable.


> I have to ask why you're writing yet another EAP library.  There's already
> source code available in hostap.
>
>   Plus, EAP-MD5 isn't any better than CHAP.  It's 99.9% CHAP, but just
> wrapped in an EAP layer.  It adds complexity for no additional benefit.
>
>   So rather than talking about technical details, perhaps you can explain
> why you need to do EAP, and why you're re-implementing EAP.
>

Learning, that's the short answer. I've only just begun dabbling on this
and don't really know what I'm doing yet. So for now this is mainly a
research project, and MD5 seemed like a reasonably simple first try.
Ultimately, PEAP/TLS is probably the way to go, but I would first like to
understand the (best, hopefully, or at least good) options I have in the
authenticator.


Regards,

Simo

More information about the Freeradius-Users mailing list