Hello, I'm trying to set up a radius server here in my office to permit WLAN usage, and I really feel like I'm coming up against my limits of understanding on the technologies involved.
I've successfully compiled yesterday's CVS release which include EAP-TTLS support, but I'm running into some serious issues (most likely due to lack of clue on my part) getting it working. The server is a Debian testing install, with openssl compiled from source. The base station is a Linksys WRT-54G, although I haven't gotten to the point were I think there's a problem there. Here's my list of questions: 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So far, I've been unable to successfully create a cert that freeradius likes. In the radiusd.conf file, there's an certificate_file argument, along with a CA_file argument. My understanding of the reason for this is that with EAP-TLS, authentication is done by certs alone - the user must have the server cert's public key loaded, and the user must present a public key signed by the CA. But with TTLS, the client cert does not appear to be a requirement. Does that mean I can use a self-signed cert and not worry about the CA_file, or do I still need to create both? And if so, does anyone have a working openssl recipe to create these? So far I've been unsuccessful in creating anything other than a self-signed key. 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), allowing anyone with an account on the server running radiusd to connect to the WLAN, but I'm not quite sure how the auth protocol interacts with auth-types. I have "DEFAULT Auth-Type := Pam" in my users file; do I need to do anything further depending on the auth protocol I use "inside" the ESP-TTLS tunnel (pap, chap, etc)? 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, or does it only negotate access and let the base station generate a random key? Is there a knob in the config I need to set up for this? Thank you in advance for your patience. I'm sure I'll have more questions later. Thanks, -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
