"Improving security" is pointless if you don't know what you're
trying to do.

What security problems with RADIUS would you like to fix?

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

something similar was asked on BAWUG a while ago:
http://lists.bawug.org/pipermail/wireless/2002-January/004613.html

why not IPSec? Another thing: the Message-Authenticator attribute is
required for 802.1x but I think its independent of that, and can be
used to sign packets that dont include eap.
not exactly. Depending on your setup one may be better than the other.
http://www.freeradius.org/faq/#4.4
There are many implementations of PAP+SSL (the WLAN NAS has a web
browser) which are reasonably secure. Then there are some that dont
use SSL and you should then use chap (PAP would send your password
in the clear to the NAS).

Puneet

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I use a vpn also, but I need another level of security and I don't know how use
ssl via java/xml. I don't have a web application but a stand alone with java swing.
Can I use ssl on java/xml and not in a browser?

->
-> > But then what is the better way to improve the security using radius?
-> > radius and something else but not ipsec or eap...something else?
->
-> something similar was asked on BAWUG a while ago:
-> http://lists.bawug.org/pipermail/wireless/2002-January/004613.html
->
-> why not IPSec? Another thing: the Message-Authenticator attribute is
-> required for 802.1x but I think its independent of that, and can be
-> used to sign packets that dont include eap.
->
-> > PAP and CHAP are the same...
->
-> not exactly. Depending on your setup one may be better than the other.
-> http://www.freeradius.org/faq/#4.4
-> There are many implementations of PAP+SSL (the WLAN NAS has a web
-> browser) which are reasonably secure. Then there are some that dont
-> use SSL and you should then use chap (PAP would send your password
-> in the clear to the NAS).
->
-> Puneet
->
-> _______________________________________________
-> No banners. No pop-ups. No kidding.
-> Introducing My Way - http://www.myway.com
->
-> -
-> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
->

~~~~~~~~~~~~~~~
Rudi Verago [vLAiN]
***@libero.it
~~~~~~~~~~~~~~~


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

more security that what an IPSEC VPN provides? This brings me back to
Alans question: what exactly are you trying to secure here? The Radius
packets between the NAS and the server? something between the user and
the NAS? What the endpoints of the VPN that you are currently using?

Openssl works with C & C++ and you can run SSL without a browser
(thats what even EAP-TLS/TTLS and PEAP do). Dont know much^H^H^H^H
anything about SSL support in Java or running Java/xml apps without
a browser!

Puneet

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

First of all thanks to everybody.
I know that vpn (in my situation I use AES in esp and ike) is a perfect (about)
solution.
In my infrastructure vpn authenticates machines/computer/box (network card) and
radius authenticates users.
Can I made an eap/tls connction above a vpn? That is before I create an ipsec
connction and after I made up a eap/tls?
I don't think so because vpn works at layer 3 and eap at layer 2...is exactly?

Java support ssl (JSSE), is it hard/difficult made a java-client with ssl that
talk with a radius server?

Bye,

-> more security that what an IPSEC VPN provides? This brings me back to
-> Alans question: what exactly are you trying to secure here? The Radius
-> packets between the NAS and the server? something between the user and
-> the NAS? What the endpoints of the VPN that you are currently using?
->
-> Openssl works with C & C++ and you can run SSL without a browser
-> (thats what even EAP-TLS/TTLS and PEAP do). Dont know much^H^H^H^H
-> anything about SSL support in Java or running Java/xml apps without
-> a browser!

~~~~~~~~~~~~~~~
Rudi Verago [vLAiN]
***@libero.it
~~~~~~~~~~~~~~~


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Is this a wireless environment? How are you using Radius? The user
typically never sees Radius packets. They occur only between an AP or
a NAS or a dialup server on one end and a Radius server on the other.
I'm not sure if I get it but: you are using EAP-TLS between your
laptop and the AP, and then a VPN client from your laptop to
another box (for VPN termination) somewhere behind the AP, it sounds
like it would work.
AFAIK when you do EAP-TLS first, you have setup Layer2 and now you
should be able to do anything (including VPN) at Layer 3.
I have never used Java+SSL so I dont know. I assume you are planning
to write an EAP-TLS client. If so, you can try using one of the
existing clients (Windows/XSupplicant/alfa-ariss.com etc).

If this is between the NAS and the Server, it'll be some work to get
SSL working, as Radius messages use UDP and SSL inherently assumes
a connection oriented reliable transport such as TCP, and your code
will have to handle stuff like retransmits, out of order delivery etc.
You might be better off using IPSec between your NAS and the Radius
server.
So:
1. user - AP (EAP-TLS)
2. AP - Radius Server (IPSec) [BTW which AP supports a builtin VPN client?]
3. user - VPN termination box (IPSec)
and you are all set. You dont need to write any SSL client.

Puneet

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html