Hi, >> You haven't done that. >> > You're smart if you spend the time to understand what you're talking > I know what I am talking about. When there is something I don't know, > however - I ask, politely, and expect the same from others (that > doesn't include you, apparently).
I think what Alan was trying to point out is that it is easy to find answers to your basic questions without asking this mailing list. The security of RADIUS is incredibly well-documented, and not specific to FreeRADIUS. So if your problem is that you don't know whether or not a RADIUS shared secret is sent in clear text or not - and jump to false conclusions based on your *belief* how it *might* work (even if you are wrong in your assumptions) then that is typically called "noise" on a mailing list. You might rather want to clarify that aspect yourself. I just typed "RADIUS shared secret" into Google, and found actual on-topic results - on page one. Microsoft Technet unfortunately, but better than nothing. Now to get more down to the topic. You mention that security is paramount, which is correct. When you are using EAP-TLS or EAP-TTLS, security of your transmitted credentials comes by virtue of the TLS tunnel that is established within that EAP method. The transport-layer security of RADIUS adds nothing to the security of these credentials. In that case, it doesn't matter much - for security reasons - whether your Access Points talk RADIUS (IP+shared secret) or RADIUS/TLS. What *is* revealed if you use "only" RADIUS, is some of the not-so-significant attributes in the Access-Request like the MAC address of the connecting client in Calling-Station-Id. That you might possibly see as a rather minimal privacy invasion if an eavesdropper listens on the packet; in that case, RADIUS/TLS would be a way of mitigating that. Your thread contains lots of confusion, false assumptions and wrong conclusions. There is always a danger that that kind of "half-knowledge" spreads and leads to FUD. So to be abundantly clear: Transport security ------------------------- * traditional: fixed bindings of IP address+shared secret; uses MD5 for hash calculation * TLS security: either TLS-PSK (drop-in replacement for shared secret) or certificate based Credential security -------------------------- * most EAP types "roll their own", which makes transport security less relevant * EAP-TLS, TTLS, PEAP, FAST are among those * FreeRADIUS supports all of these EAP types just fine * some weak EAP types don't provide that security on their own, and either - need to be tunneled within TTLS and friends - or - - need to be secured by transport security I think this answers all the questions in your thread and counteracts all the conclusions you jumped onto mid-way. If I may add: almost none of these questions were specific to *FreeRADIUS - the product* - they were about the RADIUS protocol. This mailing list is not the place to ask random questions about RADIUS. Read up on it on the internet, buy a book, or visit a course about RADIUS. The mailing list is about configuring FreeRADIUS. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html