Hello, I've been tasked with getting XP to authenticate with better-than-WEP (WPA) encryption with a Cisco Aeronet 1200 AP and RADIUS server, with a desire for the RADIUS server to be free and the client installs on the XP machines to be as simple as possible.
Given I couldn't find anything on PEAP or MSCHAPv2 support for freeradius, I was able to get EAP-TLS working in our environment. (Thanks mainly to Ken Roser's PDF document and http://www.missl.cs.umd.edu/wireless/eaptls - the one major change was I was able to use openssl-0.9.7c for everything, where he used three different openssl builds.) We don't really have a PKI environment, but adding the generated certs to XP wasn't too difficult. I noticed the CVS builds support TTLS and MSCHAPv2, but there's no documentation on this. Does eap-mschapv2 work as PEAP? What's the status with this? (Or should I be using TTLS, and is there a good free XP client for that?) The EAP-TLS seems to work regardless of what I put in the users file. If the client certificates match against the server one, it gives access. How do you give finer control than that? I don't think we'll do that in our environment, but I'm curious. (ie: the User-Name supplied in the client certificate wasn't even in my users file, but access was still allowed.) The AP is configured with TKIP + WEP 128bit cipher encryption, with open authentication (with EAP) and network EAP support. There is no Authentication Key Management (WPA optional/mandatory was an option here, but if I enabled it XP couldn't connect. I thought XP had WPA support...) My question is, if I just use one client certificate and distributed it to everyone in our group, will the individual connections still be secure? (ie: is the per-session encryption tied to the certificates involved, or some session-specific bit of randomness even when authenticated with the same cert?) Or do I really need to generate each users own certificate? Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
