Re: WPA authentication works only with MacOS clients
It works!Thanks.Josh Shamir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA authentication works only with MacOS clients
Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? Thanks for attention Best Regards, Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi Josh, Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? No, the built-in supplicant works. But then your server cert needs to have the TLS Web Server Authentication OID, otherwise the supplicant will refuse to authenticate. This special surprise brought to you by: Microsoft :-) Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgp9eDXTZDrWr.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi, Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? no. the builtin WinXP supplicant does PEAP natively. however, dont forget that PEAP doesnt deal with plain text passwords - you either need to have NT-hash or use ntlm_auth alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
On 10/16/06, Stefan Winter [EMAIL PROTECTED] wrote: Hi Josh,No, the built-in supplicant works. But then your server cert needs to havethe TLS Web Server Authentication OID, otherwise the supplicant will refuseto authenticate. This special surprise brought to you by: Microsoft :-) Hi Stefan,thank you for the quick answer.Can you tell me the parameter that I must use for having TLS Web Server Authentication OID? I have used - x509 but it is insufficient :) However, thanks.Josh Shamir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi, I can't use NT-hash because I use PAP and I need clear-text password. However I've generated server-side certificates with CA.all script with standart xpextension: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 Can I modify this OID to create MS-Windows compatible certificates? Or there are some other way to obtain this feature? Best Regards, Josh On 10/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Hi, Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? no. the builtin WinXP supplicant does PEAP natively.however, dont forgetthat PEAP doesnt deal with plain text passwords - you either need to haveNT-hash or use ntlm_authalan-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA authentication works only with MacOS clients
Date: Mon, 16 Oct 2006 13:25:22 +0200 From: Josh Shamir [EMAIL PROTECTED] Subject: WPA authentication works only with MacOS clients To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? You are correct. The Windows supplicant on XP SP2 supports PEAP-MSCHAPv2 otherwise known as PEAPv0 and EAP-TLS. If you want to use EAP-TTLS you have a few choices. You can use a commercial supplicant like Funk Odyssey Access Client (30 day free trial here: http://www.juniper.net/customers/support/products/oac.jsp. It's a great supplicant and supports EAP-TTLS, PEAPv0, PEAPv1, EAP-TLS, EAP-SIM, EAP-GTC etc. You also may want to check if your wireless card has its own supplicant that supports TTLS. Most new laptops come with an Intel Centrino chipset and Intel's Proset Wireless supplicant does support TTLS. It's also faster and has more features than the MS supplicant. If these aren't available options, why not just use PEAP-MSCHAPv2? If you're just doing username/password authentication this should work fine. PEAP and TTLS are very similar in nature and PEAP is supported in OS X and in the Windows supplicant. Thanks for attention Best Regards, Josh -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20061016/aafb6aa7/attachment-0001.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi Jason,I want to use PEAP.So I can use PEAP on a WinXP SP2 client without any other supplicant, using his native supplicant.The problem is that with native WinXP supplicant the authentication process failed, and freeradius server give me an error regarding certificates. The strange thing is that with the same certificates, PEAP works fine with MacOSx.Could be a problem of certificates ?I generate certificates with CA.all.Any ideas about how generate certificates that works also with MS WixXP client? Thanks for helpBest Regards, Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Message: 5 Date: Mon, 16 Oct 2006 22:36:14 +0200 From: Josh Shamir [EMAIL PROTECTED] Subject: Re: WPA authentication works only with MacOS clients To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hi Jason, I want to use PEAP. So I can use PEAP on a WinXP SP2 client without any other supplicant, using his native supplicant. The problem is that with native WinXP supplicant the authentication process failed, and freeradius server give me an error regarding certificates. The strange thing is that with the same certificates, PEAP works fine with MacOSx. Could be a problem of certificates ? I generate certificates with CA.all. Any ideas about how generate certificates that works also with MS WixXP client? This is a common problem. Windows XP requires that the server and client certificates have specific attributes. This is useful as it prevents a main-in-the-middle attack where an authentic client masquerades as a server with his client cert. You need to use Microsoft's Extended Attributes: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 See http://www.linuxjournal.com/node/8095/print for detailed instructions how to create a server certificate that will work with PEAP and MS clients. The HOWTO is for EAP-TLS which requires client and server certificates. Since you are using PEAP, you just need to create the server certificate. Good luck. In particular you'll want to do: openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf openssl ca -config ./openssl.cnf \ -policy policy_anything -out server_cert.pem \ -extensions xpserver_ext -extfile ./xpextensions \ -infiles ./server_req.pem You'll now have server_cert.pem (Public Certificate) and server_key.pem (Private Key which has no password). The public certificate will have the Server extended key usage extensions set and now your XP client should authenticate. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Message: 5 Date: Mon, 16 Oct 2006 22:36:14 +0200 From: Josh Shamir [EMAIL PROTECTED] Subject: Re: WPA authentication works only with MacOS clients To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hi Jason, I want to use PEAP. So I can use PEAP on a WinXP SP2 client without any other supplicant, using his native supplicant. The problem is that with native WinXP supplicant the authentication process failed, and freeradius server give me an error regarding certificates. The strange thing is that with the same certificates, PEAP works fine with MacOSx. Could be a problem of certificates ? I generate certificates with CA.all. Any ideas about how generate certificates that works also with MS WixXP client? This is a common problem. Windows XP requires that the server and client certificates have specific attributes. This is useful as it prevents a main-in-the-middle attack where an authentic client masquerades as a server with his client cert. You need to use Microsoft's Extended Attributes: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 See http://www.linuxjournal.com/node/8095/print for detailed instructions how to create a server certificate that will work with PEAP and MS clients. The HOWTO is for EAP-TLS which requires client and server certificates. Since you are using PEAP, you just need to create the server certificate. Good luck. In particular you'll want to do: openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf openssl ca -config ./openssl.cnf \ -policy policy_anything -out server_cert.pem \ -extensions xpserver_ext -extfile ./xpextensions \ -infiles ./server_req.pem You'll now have server_cert.pem (Public Certificate) and server_key.pem (Private Key which has no password). The public certificate will have the Server extended key usage extensions set and now your XP client should authenticate. Jason Wittlin-Cohen P.S: Sorry for the double post. My last message had flowed text making it very difficult to read so I decided to resend it. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html