OpenHarbors - Dynamic Tunneling of WPA over IP/L2TP
kinbell4
bell_kin at kramxel.com
Wed Jun 19 20:46:58 PDT 2024
---- On Thu, 20 Jun 2024 04:22:46 +0800 Linus Lüssing wrote ---
> Hi Michael,
>
> Thanks for the feedback.
>
> On Wed, Jun 19, 2024 at 02:32:20PM -0400, Michael Richardson wrote:
> > Radius already does this, and does it better.
> > And Radius v1.1 over TLS is a significantly better protocol than the NAT44
> > hostile MD5-authenticated thing of yore. Take a page from eduroam.
>
> I don't think that RADIUS does this, this does not work for us with Freifunk.
> Just like we can't offer eduroam on a Freifunk mesh node / AP
> right now either:
Just let hostapd choose radius server based on user name, no new protocol needed.
>
> The final RADIUS Accept message from the RADIUS server, no matter
> if using it with or without TLS, will as the final step of its EAP
> exchange send the pairwise-master-key to the AP. WPA encryption is between the
> client/supplicant and the AP/authenticator only. The RADIUS TLS
> encryption is a separate encryption channel and only between the
> AP/authenticator and remote RADIUS server. It's not
> end-to-end-encrypting payload between the client/authenticator and a
> remote host.
>
> This whole exchange therefore requires the AP/authenticator to be
> run by a trusted operator. At Freifunk most of our nodes are run
> by people that do not know each other. The AP/authenticator would
> be able to Man-in-the-middle attack there.
>
EAP-TLS does not need trusted AP, certificate will prevent fake server,
your design require AP side to have CCMP key, it is still the same problem,
any internet traffic will also need to be decrypted before sending to WAN.
More information about the Hostap
mailing list