WIP

FreeRADIUS

Notes for FreeRADIUS running on pfsense and the WiFi Enterprise option on the ESP8266. This description is based on search results and observations.

On pfSense->Services->FreeRADIUS->EAP there are 7 config blocks.

• EAP
• Certificates for TLS
• EAP-TLS
• EAP-TLS Cache
• EAP-TLS with OCSP support
• EAP-TTLS
• EAP-PEAP

EAP

EAP is basically a framework and is used as a transport for the authentication protocol. It can be used for wireless or wired networks. While EAP is not an authentication method, it can encapsulate an authentication method like MD5, GTC, LEAP, TLS, TTLS, PEAP, and MSCHAPv2.

EAP-TLS

• The client must have a certificate.
• Deployment wise may be the most popular
• The ESP8266 crashes on connect double free of a memory allocation.
  • May also have memory leaks on reconnects.
    • The heap spaced leaked contains the string for Identity
    • For "[email protected]", that is about 40 bytes for the debug build. (16 bytes overhead, 8 byte aligned)

EAP-TTLS

EAP-TTLS-MD5

• Works with ESP8266
• Microsoft started EAP-TTLS support with Windows 8
• REF

EAP-PEAP

Protected EAP

EAP-PEAP-MSCHAPv2

Second-most widely supported EAP standard. Works with Windows.

• Works with ESP8266
• Generally supported by Microsoft, Apple Computer, Cisco, wpa_supplicant
• To be secure a CA certificate is required on the client! REF, REF

MS Challenge Handshake Authentication Protocol version 2 MSCHAPv2 is a USERNAME/PASSOWRD based authentication method.