Re: EAP-TTLS/EAP-TLS with freeRADIUS

Sun, 27 Nov 2011 08:43:27 -0800 



MD5 is broken.


Thanks for the public service announcement.

Pleasure!


Do you seriously think the IETF, and the people responsible for RADIUS 
protocol evolution, aren't aware of this?



Seriously, what would you like us to do exactly? Travel back in time 
to the mid 1990s and re-do the first RADIUS implementations with 
end-to-end pluggable crypto, and at the same time arrange for the 
Wassenaar agreement to be revoked?



If you want better security than that provided by the shared secret, 
you're free to arrange it between your NAS and your radius server. 
Some places use IPSec for this purpose, or things like OpenVPN.

Up until yesterday, I wasn't aware that the only way AP/NAS can 
communicate with the RADIUS is via unencrypted channel. That's fair 
enough, I suppose, once I know what I am up against I will take the 
appropriate actions/measures to mitigate the possible security 
implications and reduce the risks, if I can. I wasn't making a "public 
announcement", it was merely an observation - stop being so precious!



HOWEVER - before you do that, and before you make any more 
announcements on how insecure RADIUS is, perhaps you could actually 
put some time and effort into understanding the protocol. You are 
missing two critical bits of info:


[...]


Is the shared secret ideal? No. Is RADSEC better? Yes. Do any NAS 
vendors support it? No. Can we afford to stop using RADIUS? No.

Thank you - if I knew where to look for this information, I would have 
done it ages ago.



The question is - how do I specify the CA, CA2, server certificate/key
and server certificate/key second pair (for phase two) in RADIUS?




Specify two different instances of the eap module. There is an example 
of this in the default configs in recent 2.1.x versions - see 
raddb/modules/inner-eap. Once you've done that, use the 2nd module 
inside your inner-tunnel, like so:

Thanks again, I wasn't aware that I could have inner/different 
instances. Apart from the various, rather scattered, files with sample 
configuration examples is there a more comprehensive manual which 
includes (and explains) all these options? I'd rather read those than 
relying on jamooks like DeCock to explain it all to me (or not, as it 
may be the case here)?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
























					Reply via email to