EAP-TLS RADIUS login for local user authentication

Alan DeKok aland at deployingradius.com
Fri Jun 10 15:14:33 PDT 2022

On Jun 10, 2022, at 5:04 PM, Bob Friesenhahn <bfriesen at simple.dallas.tx.us> wrote:
> We have an existing application (written in Python) which uses RADIUS for user authentication.  To satisfy security/crypto requirements, we are requested to use EAP-TLS via RADIUS because plain RADIUS is not sufficiently secure.

  I'll answer this as a RADIUS person.  RADIUS hasn't been "broken" in the security sense.  For all intents and purposes, it's fine.

  That being said, it's always a good idea to use the latest and greatest security.  The question is, what do you need?  Why are you choosing EAP-TLS versus TTLS (with passwords)?

> In order to satisfy the requirement, it appears that 'hostapd' needs to be added like this:
>  RADIUS Server <--> hostapd <--> wpa_supplicant <--> LOGIN App

  You need to use eapol_test, which also comes with hostap.  It sends RADIUS packets directly.  You can also use eapol_test as an example of how to integrate RADIUS + EAP into your application.

  And if you want to secure the RADIUS traffic, you should use RadSec (RFC 6614).  All major RADIUS servers support it.

  Alan DeKok.

More information about the Hostap mailing list