Re: EAP-TLS RADIUS login for local user authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 10 Jun 2022, Alan DeKok wrote:

On Jun 10, 2022, at 5:04 PM, Bob Friesenhahn <bfriesen@xxxxxxxxxxxxxxxxxxx> wrote:
We have an existing application (written in Python) which uses RADIUS for user authentication.  To satisfy security/crypto requirements, we are requested to use EAP-TLS via RADIUS because plain RADIUS is not sufficiently secure.

 I'll answer this as a RADIUS person.  RADIUS hasn't been "broken"
 in the security sense.  For all intents and purposes, it's fine.

I agree with the above.

Our requirement is to meet FIPS 140-2, which is about cryptographic security and certification. FIPS 140-2 specifies the allowed algorithms, and the implementations need to be formally certified.

That being said, it's always a good idea to use the latest and greatest security. The question is, what do you need? Why are you choosing EAP-TLS versus TTLS (with passwords)?

We were told that the test lab uses EAP-TLS.

I am planning to support EAP-TLS, EAP-TTLS, and EAP-PEAP.

In order to satisfy the requirement, it appears that 'hostapd' needs to be added like this:

 RADIUS Server <--> hostapd <--> wpa_supplicant <--> LOGIN App

You need to use eapol_test, which also comes with hostap. It sends RADIUS packets directly. You can also use eapol_test as an example of how to integrate RADIUS + EAP into your application.

I did see that test application. It is not built by default. I will investigate it further.

And if you want to secure the RADIUS traffic, you should use RadSec (RFC 6614). All major RADIUS servers support it.

Is there a list of RADIUS servers which support RadSec? I was aware of RadSec but am having a really hard time finding RADIUS servers with documentation which mentions RadSec.

Regardless, the popular radsecproxy (https://radsecproxy.github.io/) relies partially on the Nettle crypto library, which is not FIPS 140-2 certified. :-(

The test lab tells us that they are using Microsoft's RADIUS server which comes with some Windows Server editions. I do not see any mention of RadSec in the documentation.

We don't have much control over which RADIUS server is used, but it must also use FIPS 140-2 certified algorithms.

Regardless, using RadSec is really problematic for some of our (switch) devices (since it requires adding software), but those devices already provide hostapd and EAP-TLS should work since the clients already speak EAP.

Bob
--
Bob Friesenhahn
bfriesen@xxxxxxxxxxxxxxxxxxx, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux