> I know that vpn (in my situation I use AES in esp and ike) is a > perfect (about) solution. > In my infrastructure vpn authenticates machines/computer/box > (network card) and radius authenticates users.
Is this a wireless environment? How are you using Radius? The user typically never sees Radius packets. They occur only between an AP or a NAS or a dialup server on one end and a Radius server on the other. > Can I made an eap/tls connction above a vpn? That is before I create > an ipsec connction and after I made up a eap/tls? I'm not sure if I get it but: you are using EAP-TLS between your laptop and the AP, and then a VPN client from your laptop to another box (for VPN termination) somewhere behind the AP, it sounds like it would work. > I don't think so because vpn works at layer 3 and eap at layer > 2...is exactly? AFAIK when you do EAP-TLS first, you have setup Layer2 and now you should be able to do anything (including VPN) at Layer 3. > Java support ssl (JSSE), is it hard/difficult made a java-client > with ssl that talk with a radius server? I have never used Java+SSL so I dont know. I assume you are planning to write an EAP-TLS client. If so, you can try using one of the existing clients (Windows/XSupplicant/alfa-ariss.com etc). If this is between the NAS and the Server, it'll be some work to get SSL working, as Radius messages use UDP and SSL inherently assumes a connection oriented reliable transport such as TCP, and your code will have to handle stuff like retransmits, out of order delivery etc. You might be better off using IPSec between your NAS and the Radius server. So: 1. user - AP (EAP-TLS) 2. AP - Radius Server (IPSec) [BTW which AP supports a builtin VPN client?] 3. user - VPN termination box (IPSec) and you are all set. You dont need to write any SSL client. Puneet _______________________________________________ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
