MD5 isn't secure (it's e.g. possible to do man in the middle attack), and the PEAP you mention IS secure, however I don't like the PEAP implementation when I compare it with TTLS. Using PEAP the Radius server that is connected to the authenticator MUST be able to terminate PEAP, even if it's proxy-ing the request to another Radius server. (That is what I've seen with tests, so I assume it's correct.)
TTLS uses an encrypted path over EAP, and support PAP for password-checks in a secure way. The advantage is that TTLS must only be terminated at the end-radius server that knows the client (and PAP can be checked against different backends, I guess It doesn't even matter if the password is encrypted - as with unix passwords). The credential-transfer is completely over a secure path, proxy-ing Radius servers only have to support EAP.
I really hope Microsoft implements TTLS some day as EAP authentication standard in Windows, there are already a few good supplicants available. FreeRadius doesn't support TTLS however as authentication-server, that's a pity too - E.g. Radiator already does TTLS.
Paul
Artur Hecker wrote:
hi
it's a point of view. the certificate can belong to the user or to the machine in the same manner. windows xp explicitly distinguishes that and allows you to use machine credentials when no user info is available or guest credentials when no machine info is available, etc.
if you want to authenticate the user, you have to use user certificates and put those in the user cert. repository. that's all and that has nothing to do with freeradius.
on freeradius side according to tls no user passwords have to be stored. freeradius does not support ldap for certificate storage for eap/tls at the moment and probably never will (it's actually not very necessary).
on the other hand, you question about password has nothing to do with TLS. tls is based in PK crypto, i.e. priv key, cert, etc. if you want a password etc., you should use md5 (hehe) or the (still) proprietary peap perhaps. that has nothing to do with freeradius neither :-) peap will hardly be implemented before its standardization though.
ciao artur
Beno�t B�cel wrote:
I don't succeed to install eap-md5 with windows xp, but I succeed with eap-tls! But, I can just authenticate the computer with the certificate and I would like to authenticate the user with a login and a password with LDAP!
If you have any suggestions to help me ....
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
