Show Posts
1
18.7 Legacy Series / Re: Enhancement: RADIUS EAP-TLS only configuration f/Wifi
« on: January 24, 2019, 04:59:21 am »
Hi,
Thanks for your reply. I currently have users enabled in the Freeradius configuration, along with TTLS, using my own Certs that I created for Wifi and this is working for me, but I would like to strengthen the configuration so as to remove the requirement of a user to login using username/password, and only use certificates issued to clients instead.
The issue I'm having is that I would like to modify the Web Admin to include or exclude certain Freeradius configurations, which is not possible currently. Ideally, the web admin could mimic the various configuration files found in /usr/local/etc/raddb (/mods-available, /siites-available, etc). I have tried editing the various configuration files by hand, but have not achieved using EAP-TLS with certificates only yet. I am hoping perhaps some enhancements could be made instead to give more granularity over Freeradius.
For example:
- Only use EAP-TLS and required certs (which would not require a password), and no other type (such as TTLS, etc).
- Disable PAP or any other unwanted/unused authentication protocol
Give access to modify /usr/local/etc/raddb/mods-available/eap with various options, including:
- Ability to set cipher_list = "HIGH" or even specify the cipher list
- Ability to set check_crl= "yes"
- Ability to set ecdh_curve = "secp384r1"
Give access to modify /usr/local/etc/raddb/sites-available/default and inner-tunnel with:
- Disable CHAP/MSCHAP (again, in support of EAP-TLS only in my case)
I hope this makes sense and thank you in advance.
-Jason
Thanks for your reply. I currently have users enabled in the Freeradius configuration, along with TTLS, using my own Certs that I created for Wifi and this is working for me, but I would like to strengthen the configuration so as to remove the requirement of a user to login using username/password, and only use certificates issued to clients instead.
The issue I'm having is that I would like to modify the Web Admin to include or exclude certain Freeradius configurations, which is not possible currently. Ideally, the web admin could mimic the various configuration files found in /usr/local/etc/raddb (/mods-available, /siites-available, etc). I have tried editing the various configuration files by hand, but have not achieved using EAP-TLS with certificates only yet. I am hoping perhaps some enhancements could be made instead to give more granularity over Freeradius.
For example:
- Only use EAP-TLS and required certs (which would not require a password), and no other type (such as TTLS, etc).
- Disable PAP or any other unwanted/unused authentication protocol
Give access to modify /usr/local/etc/raddb/mods-available/eap with various options, including:
- Ability to set cipher_list = "HIGH" or even specify the cipher list
- Ability to set check_crl= "yes"
- Ability to set ecdh_curve = "secp384r1"
Give access to modify /usr/local/etc/raddb/sites-available/default and inner-tunnel with:
- Disable CHAP/MSCHAP (again, in support of EAP-TLS only in my case)
I hope this makes sense and thank you in advance.
-Jason