I ma trying to set up freeRADIUS server implementing (wireless) user
authentication (running wpa_supplicant) via AP (running hostapd).
After reading various howto's and documentation as well as looking at
numerous sources on the Internet, I can't see a way in which the AP is
authenticated to the RADIUS server by using only its certificate
attributes (CN, Subject, Issuer etc) - it seems that freeRADIUS always
needs some sort of "password" or "shared secret" specified.
Is it possible *not* to use this and rely solely on the
strength/culpability (depending on the way one looks at it) of PKI? If
so, how do I achieve that? A very simple configuration file example
would suffice! In relation to that - another question: the rlm_eap text
file (in the doc/ directory) distributed with the source code (I am
using 2.1.12) states that "Currently Freeradius supports only 2
EAP-Types (EAP-MD5, EAP-TLS)." (line 78). Is that so?
As for the actual EAP-TTLS/EAP-TLS authentication process I have another
query - my understanding of the theory behind this method is that the
authentication/authorisation process is done in two distinct phases -
outer and inner authentication. This also allows for the use of two
distinct sets of (client, server, ca) certificates to be specified in
each phase. If that is so, how is this configured/specified in the
eap.conf configuration file (or elsewhere)?
Many thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
