New Thread: EAP for Cisco AP.
The next stage of Radius is using it to secure my Wireless network. I'm fairly sure EAP-TLS is Certificate based, and EAP-MD5 has to do with using an MD5 Has as a "Shared Secret" But, I don't completely understand PEAP, and how it relates to MS-CHAP v2. I want to try to use PEAP to secure my network. Here is my current eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } peap { default_eap_type = mschapv2 } mschapv2 { } } I have eap in authenticate and authorize. What else do I need to do, and are there more dictionaries.
Hi,
The next stage of Radius is using it to secure my Wireless network. I'm fairly sure EAP-TLS is Certificate based, and EAP-MD5 has to do with using an MD5 Has as a "Shared Secret"
But, I don't completely understand PEAP, and how it relates to MS-CHAP v2.
before implementing a broken system I recommend that you purchase and read a book called 'Wi-Foo' . this will help you understand all of these protocols and methods. alan
A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
The next stage of Radius is using it to secure my Wireless network. I'm fairly sure EAP-TLS is Certificate based, and EAP-MD5 has to do with using an MD5 Has as a "Shared Secret"
But, I don't completely understand PEAP, and how it relates to MS-CHAP v2.
before implementing a broken system I recommend that you purchase and read a book called 'Wi-Foo' . this will help you understand all of these protocols and methods.
alan -
I wouldn't call what I've done so far a "broken system" (My MS-CHAPv2 VPN system works.) Basically the idea is that I need the Wireless Nodes (XSupplicant) to be able to talk on the network and authorize connections. But these need to be Host based, not user based. Because the NSS stuff comes from LDAP. and PAM comes from Kerberos. So, I think that the host needs to be authenticated before the users can actually "Log in". The thing is, I'm not sure how the Aironet 340 does Radius. Can the use of EAP be voluntary at first to assure it works? (Clear Clients still working.)
Hi,
I wouldn't call what I've done so far a "broken system" (My MS-CHAPv2 VPN system works.)
..please note what I read. 'before implementing a broken system' ^^^^^^ ie be familar with all those things you asked about BEFORE doing what you are doing. you cant realistically configure your APs and FR server to do EAP (PEAP) with MSCHAPv2 or MD5 etc if unsure of how they all work - and WHERE they work. alan
before implementing a broken system I recommend that you purchase and read a book called 'Wi-Foo' . this will help you understand all of these protocols and methods.
alan - Here is how I think that that it works. The AP recives an EAP message from the XSupplicant program on the workstation. The AP itself queries the Radius server to see whether this is valid or not. radiusclient is not involved.
Now what I don't know. Is this User or Host based? If its Host based, I'd like to put host Authentication information in my ou=Hosts of my Directory Service. I already do net rpc join DOMAIN on all my nodes anyway just to create the Node's object.
Hi,
Now what I don't know. Is this User or Host based? If its Host based,
well that depends on how your supplicant is set up and how its integrated with the OS. for example, WinXP can be either and/or both.
I'd like to put host Authentication information in my ou=Hosts of my Directory Service. I already do net rpc join DOMAIN on all my nodes anyway just to create the Node's object.
then you can proceed with host-based alan
But, I don't completely understand PEAP, and how it relates to MS-CHAP v2.
PEAP first establish a TLS tunnel (and thus uses the freeradius eap 'tls' module). Then a new Request is sent protected by this TLS tunnel. This inner request can be based on ms-chapv2 or another EAP method).
I want to try to use PEAP to secure my network.
Here is my current eap.conf
eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom }
Take care to setup the freeradius certificate/private key cause it will be used to establish the first TLS tunnel. Also take care to install the cacert in the client certificate store.
peap { default_eap_type = mschapv2 } mschapv2 { } }
I have eap in authenticate and authorize. What else do I need to do, and are there more dictionaries.
Should be enough for the Freeradius part (I suppose you have define your APs in the clients.conf file). Configure the radius parameters in your AP and setup the PEAP client to check the freeradius server's name and certificate to be protected from Man in the middle attacks. Thibault
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Evan Vittitow -
Thibault Le Meur