EAP-TLS RADIUS login for local user authentication
aland at deployingradius.com
Fri Jun 10 17:04:45 PDT 2022
On Jun 10, 2022, at 7:12 PM, Bob Friesenhahn <bfriesen at simple.dallas.tx.us> wrote:
> Our requirement is to meet FIPS 140-2, which is about cryptographic security and certification. FIPS 140-2 specifies the allowed algorithms, and the implementations need to be formally certified.
Be warned that MD5 isn't FIPS compatible, and RADIUS requires MD5. So "FIPS 140-2 compatible" can be a bit of an issue.
> I am planning to support EAP-TLS, EAP-TTLS, and EAP-PEAP.
That's fine, then.
> Is there a list of RADIUS servers which support RadSec?
I don't know of such a list.
> I was aware of RadSec but am having a really hard time finding RADIUS servers with documentation which mentions RadSec.
Radiator, FreeRADIUS, radsecproxy, among others.
> Regardless, the popular radsecproxy (https://radsecproxy.github.io/) relies partially on the Nettle crypto library, which is not FIPS 140-2 certified. :-(
Your choices are:
a) choose a hard-line of "FIPS compatiblility", and don't use RADIUS
b) be more realistic, use RADIUS, and have a much more difficult time explaining FIPS compatibility issues.
Choose one. :(
> The test lab tells us that they are using Microsoft's RADIUS server which comes with some Windows Server editions. I do not see any mention of RadSec in the documentation.
I can say with authority that NPS doesn't do RadSec. Having spoken with the engineers and program managers involved, I can also say that NPS has had minimal engineering development in the last 10 years. I works for basic things, but past that, the product is effectively dead.
> Regardless, using RadSec is really problematic for some of our (switch) devices (since it requires adding software), but those devices already provide hostapd and EAP-TLS should work since the clients already speak EAP.
EAP-TLS over RADIUS should be fine. Except for various FIPS issues noted above.
More information about the Hostap