EAP-TLS RADIUS login for local user authentication

[Alan DeKok]

On Jun 10, 2022, at 7:12 PM, Bob Friesenhahn <bfriesen at simple.dallas.tx.us> wrote:
> Our requirement is to meet FIPS 140-2, which is about cryptographic security and certification.  FIPS 140-2 specifies the allowed algorithms, and the implementations need to be formally certified.

  Be warned that MD5 isn't FIPS compatible, and RADIUS requires MD5.  So "FIPS 140-2 compatible" can be a bit of an issue.

> I am planning to support EAP-TLS, EAP-TTLS, and EAP-PEAP.

  That's fine, then.

> Is there a list of RADIUS servers which support RadSec?

  I don't know of such a list.

>  I was aware of RadSec but am having a really hard time finding RADIUS servers with documentation which mentions RadSec.

  Radiator, FreeRADIUS, radsecproxy, among others.

> Regardless, the popular radsecproxy (https://radsecproxy.github.io/) relies partially on the Nettle crypto library, which is not FIPS 140-2 certified. :-(

   Your choices are:

  a) choose a hard-line of "FIPS compatiblility", and don't use RADIUS

  b) be more realistic, use RADIUS, and have a much more difficult time explaining FIPS compatibility issues.

  Choose one.  :(

> The test lab tells us that they are using Microsoft's RADIUS server which comes with some Windows Server editions.  I do not see any mention of RadSec in the documentation.

  I can say with authority that NPS doesn't do RadSec.  Having spoken with the engineers and program managers involved, I can also say that NPS has had minimal engineering development in the last 10 years.  I works for basic things, but past that, the product is effectively dead.

> Regardless, using RadSec is really problematic for some of our (switch) devices (since it requires adding software), but those devices already provide hostapd and EAP-TLS should work since the clients already speak EAP.

  EAP-TLS over RADIUS should be fine.  Except for various FIPS issues noted above.

  Alan DeKok.