On Jun 10, 2022, at 7:12 PM, Bob Friesenhahn <bfriesen@xxxxxxxxxxxxxxxxxxx> wrote: > Our requirement is to meet FIPS 140-2, which is about cryptographic security and certification. FIPS 140-2 specifies the allowed algorithms, and the implementations need to be formally certified. Be warned that MD5 isn't FIPS compatible, and RADIUS requires MD5. So "FIPS 140-2 compatible" can be a bit of an issue. > I am planning to support EAP-TLS, EAP-TTLS, and EAP-PEAP. That's fine, then. > Is there a list of RADIUS servers which support RadSec? I don't know of such a list. > I was aware of RadSec but am having a really hard time finding RADIUS servers with documentation which mentions RadSec. Radiator, FreeRADIUS, radsecproxy, among others. > Regardless, the popular radsecproxy (https://radsecproxy.github.io/) relies partially on the Nettle crypto library, which is not FIPS 140-2 certified. :-( Your choices are: a) choose a hard-line of "FIPS compatiblility", and don't use RADIUS b) be more realistic, use RADIUS, and have a much more difficult time explaining FIPS compatibility issues. Choose one. :( > The test lab tells us that they are using Microsoft's RADIUS server which comes with some Windows Server editions. I do not see any mention of RadSec in the documentation. I can say with authority that NPS doesn't do RadSec. Having spoken with the engineers and program managers involved, I can also say that NPS has had minimal engineering development in the last 10 years. I works for basic things, but past that, the product is effectively dead. > Regardless, using RadSec is really problematic for some of our (switch) devices (since it requires adding software), but those devices already provide hostapd and EAP-TLS should work since the clients already speak EAP. EAP-TLS over RADIUS should be fine. Except for various FIPS issues noted above. Alan DeKok. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
