On Jun 10, 2022, at 5:04 PM, Bob Friesenhahn <bfriesen@xxxxxxxxxxxxxxxxxxx> wrote: > We have an existing application (written in Python) which uses RADIUS for user authentication. To satisfy security/crypto requirements, we are requested to use EAP-TLS via RADIUS because plain RADIUS is not sufficiently secure. I'll answer this as a RADIUS person. RADIUS hasn't been "broken" in the security sense. For all intents and purposes, it's fine. That being said, it's always a good idea to use the latest and greatest security. The question is, what do you need? Why are you choosing EAP-TLS versus TTLS (with passwords)? > In order to satisfy the requirement, it appears that 'hostapd' needs to be added like this: > > RADIUS Server <--> hostapd <--> wpa_supplicant <--> LOGIN App You need to use eapol_test, which also comes with hostap. It sends RADIUS packets directly. You can also use eapol_test as an example of how to integrate RADIUS + EAP into your application. And if you want to secure the RADIUS traffic, you should use RadSec (RFC 6614). All major RADIUS servers support it. Alan DeKok. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
