15. The supplicant decrypts the Broadcast key with the Session key and
the session continues using the Broadcast and Session keys until
the session ends.
- (Please note that WEP is not yet supported in freeradius)
-
References:
The Implementation of EAP over RADIUS is based on the following RFCs
To add a new EAP-Type then a new directory should be created as
rlm_eap/types/rlm_eap_XXXX, where XXXX is EAP-Type name
ie for EAP-Type like ONE TIME PASSWORD (OTP) it would be rlm_eap_otp
- and for LEAP it would be rlm_eap_leap.
src/modules/rlm_eap -- contains the basic EAP and generalized interfaces
to all the EAP-Types.
rlm_eap/types -- contains all the supported EAP-Types
- rlm_eap/types/rlm_eap_md5 -- EAP-MD5 authentication.
- rlm_eap/types/rlm_eap_tls -- EAP-TLS based authentication.
-
+ rlm_eap/types/rlm_eap_md5 -- EAP-MD5 authentication.
+ rlm_eap/types/rlm_eap_tls -- EAP-TLS based authentication.
+ rlm_eap/types/rlm_eap_ttls -- TTLS based authentication.
+ rlm_eap/types/rlm_eap_peap -- Windows PEAP based authentication.
+ rlm_eap/types/rlm_eap_leap -- Cisco LEAP authentication.
+ rlm_eap/types/rlm_eap_sim -- EAP-SIM (GSM) based authentication
CONFIGURATION
modules {
...
eap {
+ default_eap_type = md5
+
md5 {
}
...
...
}
- NOTE: You cannot have empty eap stanza. Atleast one EAP-Type sub-stanza
+ NOTE: You cannot have empty eap stanza. At least one EAP-Type sub-stanza
should be defined as above, otherwise the server will not know what type
of eap authentication mechanism to be used and the server will exit
with error.
EAP-Type are documented in the sample radiusd.conf that is provided
with the distribution.
+ Since the EAP requests may not contain a requested EAP type, the
+ 'default_eap_type' configuration options is used by the EAP module
+ to determine which EAP type to choose for authentication.
+
NOTE: EAP cannot authorize a user. It can only authenticate.
- Other Freeradius modules authorize the user and lets EAP to authenticate.
-
+ Other Freeradius modules authorize the user.
+
+
+EAP SIM server
+
+ To configure EAP-SIM authentication, the following attributes must be
+ set in the server. This can be done in the users file, but in many cases
+ will be taken from a database server, via one of the SQL interface.
+
+ If one has SIM cards that one controls (i.e. whose share secret you know),
+ one should be able to write a module to generate these attributes
+ (the triplets) in the server.
+
+ If one has access to the SS7 based settlement network, then a module to
+ fetch appropriate triplets could be written. This module would act as
+ an authorization only module.
+
+ The attributes are:
+ EAP-Sim-Rand1 16 bytes
+ EAP-Sim-SRES1 4 bytes
+ EAP-Sim-KC1 8 bytes
+ EAP-Sim-Rand2 16 bytes
+ EAP-Sim-SRES2 4 bytes
+ EAP-Sim-KC2 8 bytes
+ EAP-Sim-Rand3 16 bytes
+ EAP-Sim-SRES3 4 bytes
+ EAP-Sim-KC3 8 bytes
+
+ EAP-SIM will send WEP attributes to the resquestor.
EAP CLIENTS
http://www.denobula.com/EAPTLS.pdf
+ 3. Freeradius has an "radeapclient" that can do EAP-MD5 (passwords),
+ as well as EAP-SIM. It is in modules/rlm_eap/radeapclient.
+
+TESTING
+
+ You will find several test cases in src/tests/ for the EAP-SIM code.
+
HOW DO I USE IT (FAQ/Examples)
authenticate {
eap
}
+
+ # If you are proxying EAP-LEAP requests
+ # This is required to make LEAP work.
+ post-proxy {
+ eap
+ }
2. My Userbase is in LDAP and I want to use EAP-MD5 authentication
# ldap gets the Configured password.
# eap sets the authenticate type as EAP
authorize {
+ ...
ldap
eap
+ ...
}
# eap authentication takes place.
authenticate {
+ ...
eap
+ ...
}
3. How can I Proxy EAP messages, with/without User-Name attribute
With the above configuration, RADIUS server immediately responds with
EAP-Identity request.
- NOTE: EAP doesnot check for any Identity or maintains any state in case
+ NOTE: EAP does not check for any Identity or maintains any state in case
of EAP-START. It blindly responds with EAP-Identity request.
Proxying is handled only after EAP-Identity response is received.
INSTALLATION
- EAP and EAP-MD5 doesnot require any additional packages.
+ EAP, EAP-MD5, and Cisco LEAP do not require any additional packages.
Freeradius contains all the required packages.
- For EAP-TLS, OPENSSL, <http://www.openssl.org/>, is required to be installed.
- Any version from 0.9.6b, should fairly work with this module.
+ For EAP-TLS, EAP-TTLS, and PEAP, OPENSSL, <http://www.openssl.org/>,
+ is required to be installed.
+ Any version from 0.9.7, should fairly work with this module.
-CAVEATS
- It probably still has bugs. Most notably, there is a small memory
- leak somewhere in the eap_tls code. I suspect it's because of my
- misuse of OPENSSL libraries, but I have no proof yet.
+ EAP-SIM should not require any additional packages.
IMPLEMENTATION (For Developers)
ACKNOWLEDGEMENTS
Primary author - Raghu <raghud@mail.com>
+ EAP-SIM - Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ The development of the EAP/SIM support was funded by
+ Internet Foundation Austria (http://www.nic.at/ipa).
+
+