EAP-TLS RADIUS login for local user authentication
bfriesen at simple.dallas.tx.us
Fri Jun 10 16:12:55 PDT 2022
On Fri, 10 Jun 2022, Alan DeKok wrote:
> On Jun 10, 2022, at 5:04 PM, Bob Friesenhahn <bfriesen at simple.dallas.tx.us> wrote:
>> We have an existing application (written in Python) which uses RADIUS for user authentication. To satisfy security/crypto requirements, we are requested to use EAP-TLS via RADIUS because plain RADIUS is not sufficiently secure.
> I'll answer this as a RADIUS person. RADIUS hasn't been "broken"
> in the security sense. For all intents and purposes, it's fine.
I agree with the above.
Our requirement is to meet FIPS 140-2, which is about cryptographic
security and certification. FIPS 140-2 specifies the allowed
algorithms, and the implementations need to be formally certified.
> That being said, it's always a good idea to use the latest and
> greatest security. The question is, what do you need? Why are you
> choosing EAP-TLS versus TTLS (with passwords)?
We were told that the test lab uses EAP-TLS.
I am planning to support EAP-TLS, EAP-TTLS, and EAP-PEAP.
>> In order to satisfy the requirement, it appears that 'hostapd' needs to be added like this:
>> RADIUS Server <--> hostapd <--> wpa_supplicant <--> LOGIN App
> You need to use eapol_test, which also comes with hostap. It sends
> RADIUS packets directly. You can also use eapol_test as an example
> of how to integrate RADIUS + EAP into your application.
I did see that test application. It is not built by default. I will
investigate it further.
> And if you want to secure the RADIUS traffic, you should use RadSec
> (RFC 6614). All major RADIUS servers support it.
Is there a list of RADIUS servers which support RadSec? I was aware
of RadSec but am having a really hard time finding RADIUS servers with
documentation which mentions RadSec.
Regardless, the popular radsecproxy (https://radsecproxy.github.io/)
relies partially on the Nettle crypto library, which is not FIPS 140-2
The test lab tells us that they are using Microsoft's RADIUS server
which comes with some Windows Server editions. I do not see any
mention of RadSec in the documentation.
We don't have much control over which RADIUS server is used, but it
must also use FIPS 140-2 certified algorithms.
Regardless, using RadSec is really problematic for some of our
(switch) devices (since it requires adding software), but those
devices already provide hostapd and EAP-TLS should work since the
clients already speak EAP.
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
More information about the Hostap