Mack, TTLS is not in 0.9.3 version - you have to use the 1.0.0-pre version to get TTLS support.
The nice thing about TTLS is the fact the client security certificate is optional! Makes it much easier to deploy if you have a good number of clients or you don't have access to the wireless devices to install said certificates. Glad to see you are gaining some insight into the wonderful world of hi-security wireless access [grin]. It is rather complicated but MUCH better protecting the content of the link vs WEP... gm... ----- Original Message ----- From: "Mack" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 22, 2004 3:53 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) > Gary & Alan, > > Thanks guys. Sorry for being so stupid about all of this, but thanks to ya'll and the > reading that I've done is this short period of time, I have learned a great deal about > how this stuff works. > > When using TTLS or PEAP, it seems that I'll still need EAP-TLS...but just on the > server-side, not the client (am I right?). I think that TTLS will be a better fit as it > seems to support more methods, and PEAP seems to be strickly a MS thing. I > actually got the PEAP working now, though, thanks to your direction. > > I'll look into demoing third party clients. Know of any free ones, though? > > It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this > correct? If so, does the CVS version include support? Sorry if this, too, is > documented somewhere, but I just thought I'd ask while I was here. > > Thanks for the help! > > mack > > > > On 22 Jun 2004 at 12:37, Gary McKinney wrote: > > > Mack, > > > > Take a look at the following URL: > > > > http://3w.denobula.com:50000/EAPTLS.pdf > > > > It may be a little dated but all of the info is still relevent... one > > thing to take notice of is there is NO user password exchanged as > > EAP/TLS does not use a user's password for authentication - that chore > > is handled by the fact the supplicant contains a VALID user > > certificate the server recognizes. > > > > I think the above is what Alan is trying to convey to you - you can > > not use EAP/TLS and LDAP together as there is NO user password > > exchanged between the supplicant and Freeradius (or any other radius > > server) in that mode. If you are looking to use LDAP and a very > > secure method for the link between the client and the AP you will have > > to use a different method (PEAP or EAP/TTLS come to mind)... > > > > You may want to check out other supplicant software (if you are > > thinking of using the EAP/TTLS method you may want to check out the > > Odyssey Supplicant software from Funk Software (they are the one's who > > came up with TTLS and are working on a RFC to that effect). > > > > I may not have stated all of the above totally correctly but you > > should get the basic meaning.... [grin]... > > > > There are several RFC's that come with the freeradius package - I > > would strongly suggest reading them as they are the basis for all the > > different protocols and authentication methods Alan and company have > > based the Freeradius software against ( I think ).... > > > > I hope the above information is helpful and taken in the manner in > > which it was meant (to be informative and helpful)... > > > > gm... > > > > > > ---------- Original Message ---------------------------------- > > From: "Mack" <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > Date: Tue, 22 Jun 2004 12:02:33 -0400 > > > > >Alan, > > > > > >At your request, I'll try to reformat this so that it is presented as > > >a problem/challenge rather than a "why doesn't my solution work" > > >post: > > > > > >Problem: > > >My AP is a 3com 7250. It requires that you enable 802.1x on itself, > > >the client, and the radius server if you want to use the radius > > >server as the "authentication" server. My understanding is that > > >802.1x requires EAP-something. I chose EAP-TLS because my client is > > >stock XP and my understanding is that EAP-TLS is my only option with > > >that client. > > > > > >My boss asked me if it was possible to authenticate our wireless > > >users against Novell's eDirectory (LDAP). He did not specifically > > >require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is > > >because the AP requires it. > > > > > >I have successfully implemented EAP-TLS authentication between the > > >client, AP, and freeradius. Now I am attempting to "add" LDAP > > >authentication, but have not been successful. > > > > > >I can provide any configs/logs if needed. > > > > > >Solution: > > >None so far. Anyone have any suggestions/comments? What would ya'll > > >do in my position? > > > > > >thanks, > > >mack > > > > > > > > > > > >On 21 Jun 2004 at 23:52, Alan DeKok wrote: > > > > > >> "Mack" <[EMAIL PROTECTED]> wrote: > > >> > My AP requires that I enable 802.1x in order to use RADIUS > > >> > authentication. So, I figured I'd use EAP-TLS. > > >> > > >> Are you picking it at random, or are youi looking at the features > > >> it > > >> offers, and using your requirements to decide on a solution? > > >> > > >> > I'm just testing now...using an XP client, so I chose to use > > >> > EAP-TLS. I want to use LDAP because that's where our userbase is > > >> > stored (Novell eDirectory). The idea is to authenticate users > > >> > via LDAP. > > >> > > >> I thought I had been pretty clear in my response: EAP-TLS and > > >> LDAP > > >> are mutually incompatible. Stop trying to get them to work > > >> togerther. > > >> > > >> > I'm only using EAP-TLS because the AP won't let me use RADIUS > > >> > otherwise. Of course, I'm such a newbie that I'm probably > > >> > getting it all wrong. That's where I was hoping the list would > > >> > help. > > >> > > >> You should ask about how to solve a problem, rather than asking > > >> why > > >> the solution you chose didn't work. > > >> > > >> > If you were given my task, how would you go about implementing > > >> > this? > > >> > > >> I told you. Go back and read my message. > > >> > > >> If you could describe a problem, I might be able to come up with > > >> an > > >> alternate solution. > > >> > > >> Alan DeKok. > > >> > > >> > > >> - > > >> List info/subscribe/unsubscribe? See > > >> http://www.freeradius.org/list/users.html > > >> > > >> -- > > >> This message has been scanned for viruses and > > >> dangerous content by the CSU Email Gateway, and is > > >> believed to be clean. > > >> > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by the CSU Email Gateway, and is > > >believed to be clean. > > > > > > > > >- > > >List info/subscribe/unsubscribe? See > > >http://www.freeradius.org/list/users.html --- [This E-mail scanned > > >for viruses by Declude Ant-Virus Scanner] > > > > > > > > > > > > > > ________________________________________________________________ > > Sent via the KillerWebMail system at mail.brev.org > > > > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -- > > This message has been scanned for viruses and > > dangerous content by the CSU Email Gateway, and is > > believed to be clean. > > > > > > -- > This message has been scanned for viruses and > dangerous content by the CSU Email Gateway, and is > believed to be clean. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > --- > [This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
