Apologies for the digest response, I get the digest version of the list. Date: Thu, 09 Oct 2003 09:05:48 +0200 From: Artur Hecker <[EMAIL PROTECTED]>
> no, PEAP is a different protocol. you could use TTLS with whatever EAP > method tunneled in it. How does this help with ease of use with XP? Do people commonly tunnel MD5 over TTLS? Or something else -- password auth? What software supports this? Is anyone working on PEAP support native in FreeRADIUS? > you still have DEFAULT values in your users file, right? if you > explicitly reject the user, he will NOT be authenticated. I blanked out my users file before I started, but putting a DEFAULT Auth-Type Reject in the end of the file solved it. I'm going to have to look at the config a little more... > however, it's true that the User-Name content, the certified name AND > the EAP-Identity information is not checked for consistency by the > server. (EAP-Identity should be equal User-Name - that's the function > of the AP, that is something you have a trust with; however, these > both compared to the certified name in the certificate could NOT > match and the certificate would still be accepted. the question here > is: do they have to match as strings or which is the good metrics? > perhaps a configurable comparison handler?) I don't see an EAP-Identity value in my server debugging. What does XP send for that value? The name of the cert, or the machine identification? > i didn't try WPA yet, but do you have the XP WPA-patches? i suppose > you have *sigh* perhaps also the newest firmware for 1200. I wasn't aware a patch was needed, but I've just downloaded it. The 1200 is up-to-date; it shipped with VxWorks and I updated it with the latest update image from Cisco. > the per-session keys (PMKs sent to the APs and the derived TKIP keys) > will be different since they are derived from the TLS master which is > based upon random numbers chosen by the peers during the > authentication process, so with high probability different for every > session. That was my concern. I don't mind everyone using the same credentials to access the wireless network, but I didn't want the shared encryption environment we currently have with WEP. > however, virtually it would all be one person for you, ie all users > connecting is the one and the same - normal, since you have ONE > certified identity. unless you want to use the "bug" in the server, > described above (User-Name/EAP-Id don't have to match CN) by > activating the XP option 'use a different user name on connection' and > typing in the desired name. however, be assured that then every user > could type ANYTHING he wants and probably he would. so, i wouldn't > call it secure, unless you have full trust in your co-workers :-) but > it will be still difficult to break your links from outside, almost as > difficult as when you used different certificates - thanks to TLS. True. We're currently using MAC authentication to track users back to devices, and control access. We could still do that with EAP; the certificate would be the replacement for the shared WEP key, but the per-user encryption would be better. I still think PEAP is a better route, without having to put any certificate on the user machine, but I guess that's not an option right now. Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
