Request Help On setting up SSL using external server certs on freeradius

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

Request Help On setting up SSL using external server certs on freeradius

shivu prasad
Hi Guys,

I am trying to achieve below thing.

I am written radius module which will do Authentication and authorization
with external identity providers.

Thee module is working fine as the part of hardening I thought of enabling
the SSL(server certs) so that all client request to server and server to
clients go via this SSL.

I am try to read the documents and even  deploying radius (
http://deployingradius.com/)  its only talk about tls for *EAP* Auth type.

Is Configure the SSL between radius server  and clients is required?
if required can any one point to how to configure it.

Regards,
Shivaprasad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Request Help On setting up SSL using external server certs on freeradius

Alan Buxey
SSL between the server and clients? Nothing to do with RADIUS itself. You
need to either look at RADSEC for that channel or use SSL VPN between the 2.

On Sat, 12 Jan 2019, 09:58 shivu prasad <[hidden email] wrote:

> Hi Guys,
>
> I am trying to achieve below thing.
>
> I am written radius module which will do Authentication and authorization
> with external identity providers.
>
> Thee module is working fine as the part of hardening I thought of enabling
> the SSL(server certs) so that all client request to server and server to
> clients go via this SSL.
>
> I am try to read the documents and even  deploying radius (
> http://deployingradius.com/)  its only talk about tls for *EAP* Auth type.
>
> Is Configure the SSL between radius server  and clients is required?
> if required can any one point to how to configure it.
>
> Regards,
> Shivaprasad
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Request Help On setting up SSL using external server certs on freeradius

Hans-Christian Esperer
In reply to this post by shivu prasad
Hi,

On Sat, Jan 12, 2019 at 03:29:08PM +0530, shivu prasad wrote:
> Thee module is working fine as the part of hardening I thought of enabling
> the SSL(server certs) so that all client request to server and server to
> clients go via this SSL.

Not exactly sure I follow, but if you wish to encrypt the connection between
clients and the radius server, you need to use PEAP or EAP-TTLS. They are very
similar in what they achieve.

Basically, PEAP is to EAP what HTTPS is to HTTP. Inside the PEAP or TTLS
"tunnel" happens the real radius authentication.

Just have a look at mods-available/eap, in particular the PEAP {} section.
There's a configuration option called inner_tunnel. Inner_tunnel specifies the
server configuration that is to be used inside the PEAP connection, that would
otherwise be unprotected.

> Is Configure the SSL between radius server  and clients is required?

It is not required, but if the communication between the radius server and the
clients can be intercepted, such as is the case with WIFI, then it's a really
good idea to enable encryption.

The EAP-PWD authentication method works encrypted but doesn't require any
certificates/TLS setup to be configured, as it uses other means to securely
exchange the passphrase; however, it's not yet supported by all platforms and
only works with pre shared passphrases.

HTH a bit,
 HC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Request Help On setting up SSL using external server certs on freeradius

Hans-Christian Esperer
On Sat, Jan 12, 2019 at 12:46:14PM +0100, Hans-Christian Esperer wrote:
> On Sat, Jan 12, 2019 at 03:29:08PM +0530, shivu prasad wrote:
> > Thee module is working fine as the part of hardening I thought of enabling
> > the SSL(server certs) so that all client request to server and server to
> > clients go via this SSL.

If by "clients" you mean a NAS or wifi access point that talks to the radius
server, then forget everything I just said. I was talking about protecting the
connection between clients that need to be authenticated (i.w., wifi clients)
and the NAS/access points.

-HC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Request Help On setting up SSL using external server certs on freeradius

arjun sharma
In reply to this post by Alan Buxey
Hi ,

Depends on the authentication you are using, how your module authenticates
?

On Sat, Jan 12, 2019, 5:04 PM Alan Buxey <[hidden email] wrote:

> SSL between the server and clients? Nothing to do with RADIUS itself. You
> need to either look at RADSEC for that channel or use SSL VPN between the
> 2.
>
> On Sat, 12 Jan 2019, 09:58 shivu prasad <[hidden email] wrote:
>
> > Hi Guys,
> >
> > I am trying to achieve below thing.
> >
> > I am written radius module which will do Authentication and authorization
> > with external identity providers.
> >
> > Thee module is working fine as the part of hardening I thought of
> enabling
> > the SSL(server certs) so that all client request to server and server to
> > clients go via this SSL.
> >
> > I am try to read the documents and even  deploying radius (
> > http://deployingradius.com/)  its only talk about tls for *EAP* Auth
> type.
> >
> > Is Configure the SSL between radius server  and clients is required?
> > if required can any one point to how to configure it.
> >
> > Regards,
> > Shivaprasad
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html