-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 14/10/2009 14:38, Alan Buxey wrote: > Hi, > >> Hmm, just thought, some vendors may include the information in the RADIUS >> packet as VSAs (Vendor Specific Attributes). >> >> Might be worth running the server in debugging mode (radiusd -X) and see >> what your wireless controllers >> are actually sending in Access-Request packets. >> >> So although you won't get the info in the EAP Tunnel, you may find it's >> available in the RADIUS Access-request >> packets. > > I thought the same thing - so had a quick look at our incoming RADIUS > Access-Requests etc... > and nothing useful buried there - but there again, I havent looked at the > other end > yet to see if there are other options or VSAs that can be used - we can > currently get > such info from the wireless control system - so that information is being > passed from > the LWAPP/CAPWAP systems to the controller - and a suitable SNMP to the WCS > from the > RADIUS server would allow you to tie the two together (best done out of > band!) .. > this is probably a useful step for any site wondering whether to drop WPA/TKIP > support for example (for security - move to WPA2/AES) - you'd need to see how > many non-AES clients you had before the change...... > >
Slightly off topic: I've seen discussions about this on the Educase list, and it appears quite a few of our American counterparts have already dropped TKIP... The problem with trying to do something intelligent like you suggested, is that although many clients can be made to support WPA2/AES, they don't currently. For example the Intel 2200B/G Mini-Pci card used in many older laptops doesn't have WPA2 support in its older 2006 drivers. But a quick run of the Intel driver package and they'll happily connect to any WPA2-Enterprise network. Also WPA2 support only made it into Windows XP SP3 (or SP2 with KB KB917021), there are many unpatched clients out there, who'll connect to your network and select WPA/TKIP even though the hardware is capable of better. Until you actually make the switch over, you won't know how many clients really really can't support WPA2. - - We bit the bullet and turned off TKIP support on all Wireless networks at the beginning of September. So far we've had no real complaints. Arran - -- Arran Cudbard-Bell <[email protected]>, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrXGX8ACgkQcaklux5oVKIvcwCfZ+qvD9A7njXJWYcZW7Lp3Ei4 yrkAn35UiYh3USKnMmianlNoPdUJSJtT =CPRf -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
