Alan, I have the same configuration that you have (I use D-Link7000AP as the AP) and have PEAP working as well. For PEAP, we don't need client certs since it's sort of like TTLS.
One interesting thing is that you get yours to work with the wep key is provided to you option. I could not get it to work and I think it's mainly between the client and AP. As part of the PEAP, FreeRadius will send the tunnel secret to AP for AP and client to create more keys. But, I guess that part of how that dynamic WEP works is between the client and AP. In my case, I still need to have static WEP key to start with since my AP wants it. Htin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan Russell Sent: Friday, April 02, 2004 8:01 AM To: [EMAIL PROTECTED] Subject: Re: Alan ----- Original Message ----- From: "Gary McKinney" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 01, 2004 10:12 PM Subject: Re: Alan > Hi Alan, > > Basically: > > When you have a client machine that is connecting to a NAS using EAP/TLS > and variations thereof the encrypted path is ONLY between the client machine > and the NAS (be it wired or wireless). > > The Radius server provides the inital encryption path between the client > machine > and the radius server only during the authentication/authorization phase of > the > connection process. The radius server uses the TLS side of the connection > for > the authorization transactions once the TLS tunnel is established and > creditials > have been verified (by virtue of the security certificates both the radius > server > and client machine have installed) ... > with TTLS only the radius server has a certificate and the encryption phase > is > handled by a certificate generated on the radius server to that specific > session - > once validated the NAS and the client machine receive an encryption key to > use > during the connection session (and the key is renewed with a new key for the > NAS and client machine every so often - 300 seconds I think is the default > setting in FreeRadius's configuration file).... > > If you need encryption from the client machine to a distant > server/workstation > the you will need to implement some additional encryption mechanism between > those end-points as the PEAP/TLS session is ONLY between the NAS and > client machine connecting to the NAS... > > I hope this helps.... > > Gary N. McKinney > Gary, Thanks for the help. With my PEAP/TLS implementation (which appears to be working) my client machine, which is running win XP sp1, asks me for credientials eg. username/password, and if the user exists in the users file then I will be authenticated. However, I never installed the openssl generated certificate on the client side. In my eap.conf file: eap { default_eap_type = peap etc...... } all tls info is correct, and peap { default_eap_type=mschapv2 } Is the client side cert. automatically accepted? Also, I have wep key is provided for me checked on my XP machine and everything still functions fine. Is the freeradius server providing a wep key to the client machine? Thanks, Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
