Radius EAP-TTLS authentication for the Captive Portal

Home Page Forums Network Management ZeroShell Radius EAP-TTLS authentication for the Captive Portal

This topic contains 1 reply, has 0 voices, and was last updated by  imported_fulvio 7 years, 5 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #40835

    imported_fulvio
    Participant

    If you pick RADIUS authentication to validate the Captive Portal users, the current release of Zeroshell uses PAP (Password Authentication Protocol).
    This authentication method sends the user passwords on the network just encrypted with a symmetric salted key based on the RADIUS shared secret.
    For some organizations, PAP can provide an unsatisfactory security level, because the password could be discovered by using a network analyzer such as a sniffer.

    To solve this problem, in the download section http://www.zeroshell.net/eng/download/ you can get a patch for the release 1.0.beta7 of Zeroshell which enables EAP-TTLS RADIUS authentication with PAP inner authentication for the Captive Portal.
    The advantage of this authentication method is that the PAP messages are encapsulated in a TLS encrypted tunnel. This technique, already used in the protected WiFi accesses such as 802.1X, WPA and RSN, improves the security level of the authentication with the Captive Portal against a RADIUS server, because the user credentials cannot be captured by using a network sniffer.

    To apply this patch that uses the wpa_supplicant package, you should use the following shell commands:

    wget http://www.zeroshell.net/listing/zs-1.0.beta7-captive-portal-eap-ttls.patch.tar.bz2
    tar xvfj zs-1.0.beta7-captive-portal-eap-ttls.patch.tar.bz2
    ./install.sh

    Starting with the release 1.0.beta8 of Zeroshell, this patch will be included in the distribution and you won’t need to apply it separately.

    Regards
    Fulvio

    #46033

    Anonymous
    Member

    DELETED

    #46034

    Hannek
    Member

    Great news! The only change from the previous setup i noticed is the use of one Windows Server 2008 R2, with Active Directory Domain Services and Network Policy Server roles.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.