Ian Pritchard wrote: > Hi Alan, > > >From: "Alan DeKok" <[EMAIL PROTECTED]> > >Subject: Re: WPA w/ EAP-TLS against 0.8.1 Date: Thu, 02 Oct 2003 22:52:50 > >-0400 > > > >"Ian Pritchard" <[EMAIL PROTECTED]> wrote: > > > I've read the responses to this and to the TLS/TTLS thread... tried to > >find > > > somewhere in the Funk client where I might be able to control some kind > >of > > > reauthentication interval (there's a setting on the AP), but no luck > >there > > > unfortunately. > > > > It's set by the RADIUS server, via Session-Timeout. > > Yeah, got that one, but just wondered if there was also something in the > supplicant to do this independently, other than resetting the connection or > pulling the PCMCIA card out of the laptop.... > > > > Given that WPA is "the 802.11 security protocol suite of the > > > future", I guess it might be quite important.... regardless of which > > > EAP flavour is used... ;-) > > > > Many EAP methods such as LEAP, TLS, and TTLS include dynamic WEP > >keys. That would appear to be incompatible with WPA. > > Okay, that's interesting. My impression was that WPA w/RADIUS was supposed > to be fully retro-compatible with 802.1x (at least in terms of EAP flavours > and the way they operate). Does anyone know where WPA is actually defined? I > mean, is there a definition document widely available? Does it go down to a > technical level? Or do you have to pay thousands to join an "open" industry > forum to have access to the standard? Also, if the WPA standard includes > RADIUS authentication, what does it mean by "RADIUS" - whose RADIUS servers > have been tested?
You have access to the "standard" for 25$ at wi-fi.org. It is not really "technical", perhaps you should take a look at IEEE 802.11 i Draft 3.0, as WPA is a subset from. WPA includes EAP support. Currently, FreeRADIUS runs very well with WPA access points, the only requirement is the PMK (Pairwise Master Key) transmission from the AAA to the Authenticator which is performed with a "keying" method such as TTLS or of course TLS. This is transmitted via an Accept response. > Jeremy, interesting what you said about your Cisco AP 1200 - I think the > implementation there is "802.1x" and not WPA, right? The SMC AP we tried > seemed to be the same - when you turn on "WPA w/TKIP" it didn't work against > for our supplicants against FreeRADIUS, but when you just turned on "802.1x > authentication" it worked fine. You're right. Just download latest IOS release with WPA for Cisco AP1200 (look at wi-fi.org for list of certified products). Other versions are Cisco-like security, like a proprietary cipher called CKIP. > So, if dynamic WEP is incompatible with WPA, is that the fault of (and > should the fix happen on) the EAP method, the AP, the supplicant or > FreeRADIUS? WPA should be backward compatible with "dynamic-WEP", i.e. 802.1X-2001. You can have both WPA (w/ authenticated key management, and TKIP) and legacy 802.1X clients (w/ WEP-rekeying) on a same WPA access point. Laurent. > Thanks, > > Ian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
