CVS builds support TTLS and MSCHAPv2, but there's no documentation on this. Does eap-mschapv2 work as PEAP? What's the status with this? (Or should I be using TTLS, and is there a good free XP client for that?)
no, PEAP is a different protocol. you could use TTLS with whatever EAP method tunneled in it.
The EAP-TLS seems to work regardless of what I put in the users file. If the client certificates match against the server one, it gives access. How do you give finer control than that? I don't think we'll do that in our environment, but I'm curious. (ie: the User-Name supplied in the client certificate wasn't even in my users file, but access was still allowed.)
you still have DEFAULT values in your users file, right? if you explicitly reject the user, he will NOT be authenticated.
however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?)
The AP is configured with TKIP + WEP 128bit cipher encryption, with open authentication (with EAP) and network EAP support. There is no Authentication Key Management (WPA optional/mandatory was an option here, but if I enabled it XP couldn't connect. I thought XP had WPA
i didn't try WPA yet, but do you have the XP WPA-patches? i suppose you have *sigh* perhaps also the newest firmware for 1200.
support...) My question is, if I just use one client certificate and distributed it to everyone in our group, will the individual connections still be secure? (ie: is the per-session encryption tied to the certificates involved, or some session-specific bit of randomness even when authenticated with the same cert?) Or do I really need to generate each users own certificate?
the per-session keys (PMKs sent to the APs and the derived TKIP keys) will be different since they are derived from the TLS master which is based upon random numbers chosen by the peers during the authentication process, so with high probability different for every session.
however, virtually it would all be one person for you, ie all users connecting is the one and the same - normal, since you have ONE certified identity. unless you want to use the "bug" in the server, described above (User-Name/EAP-Id don't have to match CN) by activating the XP option 'use a different user name on connection' and typing in the desired name. however, be assured that then every user could type ANYTHING he wants and probably he would. so, i wouldn't call it secure, unless you have full trust in your co-workers :-) but it will be still difficult to break your links from outside, almost as difficult as when you used different certificates - thanks to TLS.
ciao artur
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
