EAP-TLS RADIUS login for local user authentication

Bob Friesenhahn bfriesen at simple.dallas.tx.us
Fri Jun 10 16:12:55 PDT 2022

On Fri, 10 Jun 2022, Alan DeKok wrote:

> On Jun 10, 2022, at 5:04 PM, Bob Friesenhahn <bfriesen at simple.dallas.tx.us> wrote:
>> We have an existing application (written in Python) which uses RADIUS for user authentication.  To satisfy security/crypto requirements, we are requested to use EAP-TLS via RADIUS because plain RADIUS is not sufficiently secure.
>  I'll answer this as a RADIUS person.  RADIUS hasn't been "broken"
>  in the security sense.  For all intents and purposes, it's fine.

I agree with the above.

Our requirement is to meet FIPS 140-2, which is about cryptographic 
security and certification.  FIPS 140-2 specifies the allowed 
algorithms, and the implementations need to be formally certified.

>  That being said, it's always a good idea to use the latest and 
> greatest security.  The question is, what do you need?  Why are you 
> choosing EAP-TLS versus TTLS (with passwords)?

We were told that the test lab uses EAP-TLS.

I am planning to support EAP-TLS, EAP-TTLS, and EAP-PEAP.

>> In order to satisfy the requirement, it appears that 'hostapd' needs to be added like this:
>>  RADIUS Server <--> hostapd <--> wpa_supplicant <--> LOGIN App
>  You need to use eapol_test, which also comes with hostap.  It sends 
> RADIUS packets directly.  You can also use eapol_test as an example 
> of how to integrate RADIUS + EAP into your application.

I did see that test application.  It is not built by default.  I will 
investigate it further.

>  And if you want to secure the RADIUS traffic, you should use RadSec 
> (RFC 6614).  All major RADIUS servers support it.

Is there a list of RADIUS servers which support RadSec?  I was aware 
of RadSec but am having a really hard time finding RADIUS servers with 
documentation which mentions RadSec.

Regardless, the popular radsecproxy (https://radsecproxy.github.io/) 
relies partially on the Nettle crypto library, which is not FIPS 140-2 
certified. :-(

The test lab tells us that they are using Microsoft's RADIUS server 
which comes with some Windows Server editions.  I do not see any 
mention of RadSec in the documentation.

We don't have much control over which RADIUS server is used, but it 
must also use FIPS 140-2 certified algorithms.

Regardless, using RadSec is really problematic for some of our 
(switch) devices (since it requires adding software), but those 
devices already provide hostapd and EAP-TLS should work since the 
clients already speak EAP.

Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

More information about the Hostap mailing list