Am 26.11.2011 22:04, schrieb Mr Dash Four: > I ma trying to set up freeRADIUS server implementing (wireless) user > authentication (running wpa_supplicant) via AP (running hostapd). > > After reading various howto's and documentation as well as looking at > numerous sources on the Internet, I can't see a way in which the AP is > authenticated to the RADIUS server by using only its certificate > attributes (CN, Subject, Issuer etc) - it seems that freeRADIUS always > needs some sort of "password" or "shared secret" specified. > so it is, you can only protect your AP client with the shared secret key.
> Is it possible *not* to use this and rely solely on the > strength/culpability (depending on the way one looks at it) of PKI? If > so, how do I achieve that? A very simple configuration file example > would suffice! In relation to that - another question: the rlm_eap > text file (in the doc/ directory) distributed with the source code (I > am using 2.1.12) states that "Currently Freeradius supports only 2 > EAP-Types (EAP-MD5, EAP-TLS)." (line 78). Is that so? > > As for the actual EAP-TTLS/EAP-TLS authentication process I have > another query - my understanding of the theory behind this method is > that the authentication/authorisation process is done in two distinct > phases - outer and inner authentication. This also allows for the use > of two distinct sets of (client, server, ca) certificates to be > specified in each phase. If that is so, how is this > configured/specified in the eap.conf configuration file (or elsewhere)? > > Many thanks! > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -----END PGP PUBLIC KEY BLOCK----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html