Mr Dash Four <mr.dash.f...@googlemail.com> wrote: >>> In other words, EAP-TTLS/EAP-TLS isn't actually supported in >>> freeRADIUS?
>> It is. I believe you misunderstood how RADIUS works. >> > Maybe, considering I've been reading about RADIUS for just over 2 days... >> The connection between the AP (called NAS in RADIUS) and the >> RADIUS-Server is only protected by the shared secret configured in >> clients.conf. >> >> Yes, this is kind of weak. > It is *very* weak, not least because connections can be intercepted as, > I presume is the case here, this "shared secret" is transmitted in the > clear over the wire. If that is not the case and it is hashed, then, > that's another story. No, the shared secret is not transmitted over the wire. For additinal information see RFC2865, §2: "When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5. (see RFC131). >> And because of this weakness a protocol like RADsec has been >> developed, which is essentially RADIUS-with-SSL-over-TCP, thus >> providing strong encryption of the whole RADIUS session. > Interesting, noted. It would be nice if this works in a similar way as > the SSL handshake works - this is very secure, tested and already > established in the real world. RadSec works this way, yes. Think of it like HTTPS for RADIUS. >> Back to EAP-(T)TLS: >> >> The connection between a connecting device such as a laptop, which >> connects to a NAS, can be secured via EAP-(T)TLS, which is a protocol >> transported via RADIUS packets. >> >> This of course is supported by FreeRADIUS since ages. > OK, my understanding of EAP-TTLS/EAP-TLS is that the authentication > happens in two distinct stages: the first stage (EAP-TTLS) is the outer > authentication where the server presents its credentials/certificate to > the client and then the secure channel is established. Phase two > (EAP-TLS in my case) is where the client - via its client certificate - > is actually authenticated to the RADIUS server. Now, I was hoping that > the AP does this in a similar sort of way when authenticating itself to > the RADIUS server, but it seems that is not the case and this is indeed > a weak point. No, the AP does not authenticate itself to the RADIUS server via TLS, just via the shared secret configured in clients.conf. > My question still remains though - since this is a two-phase > authentication, two distinct sets of (ca, server, client) certificates > can be used. How do I specify these in RADIUS? Which distinct set of certificates? The server certificate and key is configured via eap.conf. Which client certificates the RADIUS server trusts is configured via CA_file, also in eap.conf. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html