On Fri, 10 Jun 2022, Alan DeKok wrote:
On Jun 10, 2022, at 5:04 PM, Bob Friesenhahn <bfriesen@xxxxxxxxxxxxxxxxxxx> wrote:
We have an existing application (written in Python) which uses RADIUS for user authentication. To satisfy security/crypto requirements, we are requested to use EAP-TLS via RADIUS because plain RADIUS is not sufficiently secure.
I'll answer this as a RADIUS person. RADIUS hasn't been "broken"
in the security sense. For all intents and purposes, it's fine.
I agree with the above.
Our requirement is to meet FIPS 140-2, which is about cryptographic
security and certification. FIPS 140-2 specifies the allowed
algorithms, and the implementations need to be formally certified.
That being said, it's always a good idea to use the latest and
greatest security. The question is, what do you need? Why are you
choosing EAP-TLS versus TTLS (with passwords)?
We were told that the test lab uses EAP-TLS.
I am planning to support EAP-TLS, EAP-TTLS, and EAP-PEAP.
In order to satisfy the requirement, it appears that 'hostapd' needs to be added like this:
RADIUS Server <--> hostapd <--> wpa_supplicant <--> LOGIN App
You need to use eapol_test, which also comes with hostap. It sends
RADIUS packets directly. You can also use eapol_test as an example
of how to integrate RADIUS + EAP into your application.
I did see that test application. It is not built by default. I will
investigate it further.
And if you want to secure the RADIUS traffic, you should use RadSec
(RFC 6614). All major RADIUS servers support it.
Is there a list of RADIUS servers which support RadSec? I was aware
of RadSec but am having a really hard time finding RADIUS servers with
documentation which mentions RadSec.
Regardless, the popular radsecproxy (https://radsecproxy.github.io/)
relies partially on the Nettle crypto library, which is not FIPS 140-2
certified. :-(
The test lab tells us that they are using Microsoft's RADIUS server
which comes with some Windows Server editions. I do not see any
mention of RadSec in the documentation.
We don't have much control over which RADIUS server is used, but it
must also use FIPS 140-2 certified algorithms.
Regardless, using RadSec is really problematic for some of our
(switch) devices (since it requires adding software), but those
devices already provide hostapd and EAP-TLS should work since the
clients already speak EAP.
Bob
--
Bob Friesenhahn
bfriesen@xxxxxxxxxxxxxxxxxxx, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
