Mr Dash Four <mr.dash.f...@googlemail.com> wrote: >>> After reading various howto's and documentation as well as looking >>> at numerous sources on the Internet, I can't see a way in which the >>> AP is authenticated to the RADIUS server by using only its >>> certificate attributes (CN, Subject, Issuer etc) - it seems that >>> freeRADIUS always needs some sort of "password" or "shared secret" >>> specified.
>> so it is, you can only protect your AP client with the shared secret >> key. > In other words, EAP-TTLS/EAP-TLS isn't actually supported in > freeRADIUS? It is. I believe you misunderstood how RADIUS works. The connection between the AP (called NAS in RADIUS) and the RADIUS-Server is only protected by the shared secret configured in clients.conf. Yes, this is kind of weak. And because of this weakness a protocol like RADsec has been developed, which is essentially RADIUS-with-SSL-over-TCP, thus providing strong encryption of the whole RADIUS session. So far I have not seen any devices like APs, Dial-in-Servers, etc. support RADsec. But this is normally no problem, since those devices are usually located in a safe network with the RADIUS server. RADsec for example is used in the Deutsche Forschungsnetz (DFN), to secure inter-university RADIUS connections over the Internet to authenticate Eduroam users. Back to EAP-(T)TLS: The connection between a connecting device such as a laptop, which connects to a NAS, can be secured via EAP-(T)TLS, which is a protocol transported via RADIUS packets. This of course is supported by FreeRADIUS since ages. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html