Chris Woodfield <[EMAIL PROTECTED]> wrote: > 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So > far, I've been unable to successfully create a cert that freeradius > likes. In the radiusd.conf file, there's an certificate_file argument, > along with a CA_file argument. My understanding of the reason for this > is that with EAP-TLS, authentication is done by certs alone - the user > must have the server cert's public key loaded, and the user must > present a public key signed by the CA.
Yes. But TTLS still requires a server certificate. > But with TTLS, the client cert does not appear to be a > requirement. Does that mean I can use a self-signed cert and not worry > about the CA_file, or do I still need to create both? You still need a server certificate. > And if so, does anyone have a working openssl recipe to create > these? So far I've been unsuccessful in creating anything other than > a self-signed key. See scripts/CA.all > 2. I think I'm missing some understanding when it comes to the > differences between authentication protocols (pap, mschap, etc) and > authentication mechanisms (users file, smbpasswd, sql, pam, etc). My > ideal scenario is for TTLS to use PAM (which authenticates based on > md5 hashes in /etc/shadow), Huh? Why not just use 'System' authentication? > I have "DEFAULT Auth-Type := Pam" in my users file; do I need to do > anything further depending on the auth protocol I use "inside" the > ESP-TTLS tunnel (pap, chap, etc)? CHAP won't work with passwords from /etc/passwd. See the FAQ. > 3. I'm really, really in the dark when it comes to the key > distribution mechanism. with EAP-TTLS and WPA, what system actually > generates and distributes the WPA key? Does the radius server handle > that, Yes. > Is there a knob in the config I need to set up for this? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html