On 27 Nov 2011, at 00:40, Mr Dash Four wrote: > >>> In other words, EAP-TTLS/EAP-TLS isn't actually supported in >>> freeRADIUS? >>> >> >> It is. I believe you misunderstood how RADIUS works. >> > Maybe, considering I've been reading about RADIUS for just over 2 days...
Why don't you try reading about EAP and 802.1X too? >> The connection between the AP (called NAS in RADIUS) and the >> RADIUS-Server is only protected by the shared secret configured in >> clients.conf. >> Yes, this is kind of weak. > It is *very* weak, not least because connections can be intercepted as, I > presume is the case here, this "shared secret" is transmitted in the clear > over the wire. If that is not the case and it is hashed, then, that's another > story. No... and When would you ever send a shared secret over the wire in the clear? That negates the secret part... > >> And because of this weakness a protocol like >> RADsec has been developed, which is essentially >> RADIUS-with-SSL-over-TCP, thus providing strong encryption of the whole >> RADIUS session. >> >> So far I have not seen any devices like APs, Dial-in-Servers, etc. >> support RADsec. But this is normally no problem, since those devices are >> usually located in a safe network with the RADIUS server. >> >> RADsec for example is used in the Deutsche Forschungsnetz (DFN), to >> secure inter-university RADIUS connections over the Internet to >> authenticate Eduroam users. >> > Interesting, noted. It would be nice if this works in a similar way as the > SSL handshake works - this is very secure, tested and already established in > the real world. Of course it does, it's using TLS... You think the RADSEC guys are going to mess with it just because it's used for transporting RADIUS packets? > >> Back to EAP-(T)TLS: >> >> The connection between a connecting device such as a laptop, which >> connects to a NAS, can be secured via EAP-(T)TLS, which is a protocol >> transported via RADIUS packets. >> >> This of course is supported by FreeRADIUS since ages. >> > OK, my understanding of EAP-TTLS/EAP-TLS is that the authentication happens > in two distinct stages: the first stage (EAP-TTLS) is the outer > authentication where the server presents its credentials/certificate to the > client and then the secure channel is established. Phase two (EAP-TLS in my > case) is where the client - via its client certificate - is actually > authenticated to the RADIUS server. Now, I was hoping that the AP does this > in a similar sort of way when authenticating itself to the RADIUS server, but > it seems that is not the case and this is indeed a weak point. No the NAS (It can be a WAP, VPN concentrator, Switch, Router, Terminal Server) - Does not use EAP-TTLS or any EAP based authentication method to communicate with the RADIUS server directly. As previously mentioned RADSEC does what you're asking. There's also plans for a DTLS transport layer (http://tools.ietf.org/html/draft-dekok-radext-dtls-03). But neither have been implemented by NAS vendors yet. If you want to have a secure channel of communication between the RADIUS server run the UDP packets through a VPN, or implemented a local proxy on the NAS to translate between UDP and RADSEC. Additionally, if you're using EAP-TTLS-TLS, why do you need the RADIUS communications to be secure? The sensitive data is already encrypted. In fact why are you using EAP-TTLS-TLS unless you're transporting something extra in the TTLS tunnel? Seems sort of pointless to me... > > My question still remains though - since this is a two-phase authentication, > two distinct sets of (ca, server, client) certificates can be used. How do I > specify these in RADIUS? raddb/modules/eap.conf - You can specify the signing CA for peer certificates for EAP-TLS. You can use two instances of the module, one for outer and one for inner if it helps you understand the concept any better. > > I found that I could specify the ca, client and server certificates once > (normally stored in raddb/certs if memory serves), but I potentially need two > of each for each phase. I know I could use just one, but just for the sake of > understanding the whole process and getting to know how it all works I need > to know this. How do I do that? See above... > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html