Free RADIUS for WLAN - Problems?
I'm using freeRADIUS-1.02 as an Authentication Server for my Wireless LAN. I've read "802.1X Port-Based Authentication HOWTO" and I'm still wondering some thing: - What are differences between "unicast key" and "multicast/global key". If unicast key is used for encrypting per-client data and if I have 20 client, does that mean Access Point must hold all 20 per-client unicast key? And if multicast/global key is used for encrypting multicast/broadcast traffic, does that mean we have to pre-configure the key in Access Point? - Can someone explain me about "4-way handshake" and how a client derives 128-bits key for Encryption and 64-bits key for MIC. - I want to authenticate my clients with ComputerName\\UserName and i configured my radiusd.conf like below: realm ntdomain { format = prefix delimiter = "\\\\" ignore_default = no ignore_null = no } Is it right? Is it neccessary to care lowercase or upercase in ComputerName? - And I have a problem with my XP client: after the first successful authentication, when I disconnect and reconnect, Instead I must enter my username and password, It automatically connect without a login prompt. Thanks in advance! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
hi
- What are differences between "unicast key" and "multicast/global key". If unicast key is used for encrypting per-client data and if I have 20 client, does that mean Access Point must hold all
of course, since the communications are encrypted with a different key per client. otherwise your cell neighbors could read your data.
20 per-client unicast key? And if multicast/global key is used for encrypting multicast/broadcast traffic, does that mean we have to pre-configure the key in Access Point?
when it gets down to details, then it gets a little bit nasty, since strictly spoken before 802.11i there wasn't any real standard for that. talking about 802.11i, the answer is NO. the multicast key is chosen randomly by the access point for the first client and is delivered to the client by the access point using a key encryption key for any subsequent client.
- Can someone explain me about "4-way handshake" and how a client derives 128-bits key for Encryption and 64-bits key for MIC.
yes, the IEEE 802.11i standard. please read the security section or look on the web for 802.11i 4way handshake. i'm sure you'll find enough information.
- I want to authenticate my clients with ComputerName\\UserName and i configured my radiusd.conf like below: realm ntdomain { format = prefix delimiter = "\\\\" ignore_default = no ignore_null = no } Is it right? Is it neccessary to care lowercase or upercase in ComputerName?
ahem. i think that you could do it this way, but it is not necessary. the realms are primarily used for relaying requests to other servers. if you just want a naming convention, you could probably directly store these names in a database.
- And I have a problem with my XP client: after the first successful authentication, when I disconnect and reconnect, Instead I must enter my username and password, It automatically connect without a login prompt.
you mean with PEAP/MS-CHAPv2? yes, Windows XP stores the credentials in the registry. http://support.microsoft.com/default.aspx?scid=kb;en-us;823731 ciao artur -- Artur Hecker WaveStorm SARL WaveStorm Support: support@wave-storm.com http://www.wave-storm.com
Hi Artur Hecker, Very thanks for your help. I think you did a good job and hope you keep doing something like this. Thanks again. Best Regards __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
participants (2)
-
Artur Hecker -
dat nguyen