...
What RADIUS/802.1X is able to provide and not and in which situations.
Proxying
Varying implementation of features - Done
Re-auth, accounting, request from server, - Done
features supported by TP-Link NASes
...
Protocols used: EAP, MSCHAP, PEAP, TTLS, TLS
What EAP is - Done
Difference between auth systems: PEAP, TTLS, TLS
Difference between 802.1X and RADIUS and FreeRADIUS - Done
RADIUS is the protocol, it can be used for many purposes and many authentication methods can be used. - Done
Certificates
Outer and inner identity and MAC/Windows support
Inner tunnel and outer tunnel sites
authorize, authenticate, post-auth, etc. sections
clients.conf
sites-available
mods-available
Wifi keying, session timeout, etc. protections against MAC-spoofing, etc
Wifi keying, session timeout, etc. protections against MAC-spoofing, etc.
SSL tunnel
FreeRADIUS configuration files
FreeRADIUS configuration files are many. They are located in /etc/freeradius/3.0 on Debian systems. Other distributions use a slightly different location. Most of them contain plenty of comments explaining what the configuration does and advice and warnings. Here are some of them:
clients.conf - List of clients that will be connecting to the FreeRADIUS server, including their IP addresses and passwords that they will use to authenticate to FreeRADIUS. What is called a FreeRADIUS client is actually a NAS, not a supplicant. Supplicants do not speak directly to RADIUS servers.
mods-available - Folder containing config files of modules that can be used with FreeRADIUS
mods-enabled - Folder containing symlinks to files in the mods-available folder, for modules that should be enabled
mods-config - Folder containing more config related to modules and things like .sql files containing empty schemas for initial creation of databases for use with the sql module
sites-available - "Sites" that can be served by FreeRADIUS.
sites-enabled - Folder containing symlinks to files in the sites-available folder, for sites that should be enabled
By default, the 'default' and 'inner-tunnel' sites are enabled. One of them listens for incoming requests from the NASes, the other listens to requests forwarded by the 'default' site..........
Inner tunnel and outer tunnel sites
The site files contain multiple sections, here are some of them:
authorize - This section lists modules/code that are run when a request is received, in preparation for authentication. One of the important tasks is to find out which authentication method/protocol the supplicant is trying to use and which FreeRADIUS module is appropriate to deal with it. When one of the listed modules finds that it is able to deal with the request, it informs FreeRADIUS. Another important task is to load in memory information that might be needed for authentication. For example, the sql module loads the relevant credentials from the SQL database so that the appropriate authentication module that runs in the authenticate section can access them in order to compare them with what the supplicant sent.
authenticate - After the authorize section ran, this section takes care of the actual authentication. In here modules are called that assess the information made available to them and answer in regards of what action should be taken.
post-auth - After it has been determined what action should be taken, this section takes care of any extra tasks required to be carried out, for example logging.
Sources
Support / Knowledge places
Most documentation regarding FreeRADIUS and many modules, and some examples, can be found on the FreeRADIUS wiki:
A lot more useful information can be found on the FreeRADIUS mailing list:
https://wiki.freeradius.org/guide/Users-Mailing-List
...