SourceForge.net Logo

RADEAPSRP:
freeradius & pppd patches to support EAP/SRP-SHA1

Why EAP/SRP-SHA1 ?

There are two known to me authentication protocols that have following properties:

1. Password based
2. Hard to crack - security depends mostly on password strength.
3. Clear text password has to be kept on client side only
4. Supported by radius
5. Supported by pppd

These protocols are EAP/TTLS and EAP/SRP-SHA1.

EAP/TTLS is supported by freeradius and various wireless APs and supplicants. Server-side patches
for pppd are also available. Unfortunately the only known to me free client-side implementation
for pppd is SecureW2 that runs on windows only.

EAP/SRP-SHA1 is as good as EAP/TTLS , it has server-side pppd patches and
client-side pppd implementation is also free and included in pppd for several years
but EAP/SRP-SHA1 was not supported by freeradius. It was easier to write eap-type freeradius module
than integrate EAP/TTLS client into pppd :)

What you'll find here:

freeradius-1.1.7-srp.tar.bz2 - just what it says - a freeradius -1.1.7 with two modules added - rlm_eap_srp-sha1
and rlm_srp_files. They are documented in doc/rlm_eap_srp_sha1 and doc/rlm_srp_files respectively.

freeradius-1.1.7-srp.patch.bz2 - same as above but just the patch to vanilla freeradius-1.1.7.

radeapsrp.tar.bz2 - Test radius EAP/SRP-SHA1 client with command-line interface. Was written to debug
server-side code.

freeradius-client-snapshot-20071022-srp.tar.bz2 - freeradius client library - required to compile radeapsrp.
It has some minor patches introduced to support MESSAGE-AUTHENTICATOR and other  EAP/SRP required stuff.

freeradius-client-snapshot-20071022-srp.patch.bz2  - same as above in patch  form.

ppp-heiart.tar.bz2 -  pppd patched by Michael Heiart to support EAP/TLS auth against radius server. Trivial to extend this for
other EAP types. Kindly provided by Michael Heiart.

ppp-heiart-despace-stripnum.tar.bz2 - same as above but  EAP/TTLS and EAP/SRP is already added.
Also some other commands -  strip phone number from username (in form XXX...XX:name where XXX - number),
remove spaces from username etc.

srp-2.1.2.tar.gz - SRP package from srp.stanford.edu - it is required to compile all of the above
and just placed here for convenience.

WARNING!
This code is extremelly alpha!
It is of "works for me" quality - is not tested under heavy loads etc. etc.

What's more "interesting" - is seems to me that due to changes in SRP library this is actually SRP-SHA256 :)))
Didn't bother to check since both client and server run the same library and it is perfectly compatible to itself :)