Why don't you try reading about EAP and 802.1X too?
I did.
Interesting, noted. It would be nice if this works in a similar way as the SSL
handshake works - this is very secure, tested and already established in the
real world.
Of course it does, it's using TLS...
Thank you.
You think the RADSEC guys are going to mess with it just because it's used for
transporting RADIUS packets?
Where did I said or implied that? Touche!
OK, my understanding of EAP-TTLS/EAP-TLS is that the authentication happens in
two distinct stages: the first stage (EAP-TTLS) is the outer authentication
where the server presents its credentials/certificate to the client and then
the secure channel is established. Phase two (EAP-TLS in my case) is where the
client - via its client certificate - is actually authenticated to the RADIUS
server. Now, I was hoping that the AP does this in a similar sort of way when
authenticating itself to the RADIUS server, but it seems that is not the case
and this is indeed a weak point.
No the NAS (It can be a WAP, VPN concentrator, Switch, Router, Terminal Server)
- Does not use EAP-TTLS or any EAP based authentication method to communicate
with the RADIUS server directly.
As previously mentioned RADSEC does what you're asking. There's also plans for
a DTLS transport layer (http://tools.ietf.org/html/draft-dekok-radext-dtls-03).
But neither have been implemented by NAS vendors yet. If you want to have a
secure channel of communication between the RADIUS server run the UDP packets
through a VPN, or implemented a local proxy on the NAS to translate between UDP
and RADSEC.
Tunnelling is something I might consider as an alternative, thanks again
for the explanation.
Additionally, if you're using EAP-TTLS-TLS, why do you need the RADIUS
communications to be secure? The sensitive data is already encrypted. In fact
why are you using EAP-TTLS-TLS unless you're transporting something extra in
the TTLS tunnel? Seems sort of pointless to me...
Well, my understanding is that the communication between AP and RADIUS
is not encrypted, isn't that so?
My question still remains though - since this is a two-phase authentication,
two distinct sets of (ca, server, client) certificates can be used. How do I
specify these in RADIUS?
raddb/modules/eap.conf - You can specify the signing CA for peer certificates
for EAP-TLS.
You can use two instances of the module, one for outer and one for inner if it
helps you understand the concept any better.
Yep, that seems like a good plan - Phil Mayers was kind enough to
explain it to me. I'll probably do a bit of digging before delving in
with RADIUS myself.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html