Hi Alan, Basically:
When you have a client machine that is connecting to a NAS using EAP/TLS and variations thereof the encrypted path is ONLY between the client machine and the NAS (be it wired or wireless). The Radius server provides the inital encryption path between the client machine and the radius server only during the authentication/authorization phase of the connection process. The radius server uses the TLS side of the connection for the authorization transactions once the TLS tunnel is established and creditials have been verified (by virtue of the security certificates both the radius server and client machine have installed) ... with TTLS only the radius server has a certificate and the encryption phase is handled by a certificate generated on the radius server to that specific session - once validated the NAS and the client machine receive an encryption key to use during the connection session (and the key is renewed with a new key for the NAS and client machine every so often - 300 seconds I think is the default setting in FreeRadius's configuration file).... If you need encryption from the client machine to a distant server/workstation the you will need to implement some additional encryption mechanism between those end-points as the PEAP/TLS session is ONLY between the NAS and client machine connecting to the NAS... I hope this helps.... Gary N. McKinney ----- Original Message ----- From: "Alan Russell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 01, 2004 3:27 PM Subject: Re: Alan > > On Thu, 1 Apr 2004 12:16:30 -0600, Alan Russell wrote: > > > > >No offense taken. I am developing this project myself (trying to learn > as > > >much as I can). I posted this comment because I set up freeradius with > > >PEAP-TLS on a wireless network. I then connected one computer with > ethernet > > >to the same network. I ran ethereal to examine packets on the network > and > > >when I authenticate with the wireless notebook (Win XP sp1) I can see the > > >username but not the password. However, after authentication, traffic on > > >the network that is going to and from the wireless notebook is not > > >encrypted. This is why I was wondering if all traffic is supposed to be > > >encrypted or only the password info during authentication. > > >Thanks, > > >Alan > > If I understand what you saying then this is a complete lack of > understanding > > of basic wireless principles on your part and has NOTHING to do with any > > RADIUS product. > > > > The encryption, if used, is between the AP and the wireless card. If your > sniffing > > on a wire after the wireless receiving end of course its plain text. The > packets are > > encrypted in the AIR once they are on the wire in most circumstances its > plain > > text. Get a wireless sniffer and you will see. > > > > If this is not what you are describing please clarify. > > > > > > ------------------------------------------------------------------ > > Chris Blanchard > > ------------------------------------------------------------------ > > Think of it as evolution in action > > -Larry Niven & Jerry Pournelle > > ------------------------------------------------------------------ > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > Let me ask this a different way. Forget the wireless aspect, lets assume a > wired scenario. (Client Machine <---> NAS <---> RADIUS ) > When using PEAP-TLS, is data only encrypted between the Clinet and NAS? If > so does the data remain encrypted throughout the entire session? > Thanks, > Alan > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.648 / Virus Database: 415 - Release Date: 3/31/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
