Hi, I have an idea I thought will be quite easy to implement, but it turned out I can't figure how to do this on my own. Company I work for issues software (Java) tokens for our employees that need external access. They're based on proprietary system (CERB) and we're using them with a great success for authenticating access for our Juniper Gateway device - with a little help from Freeradius (2.0.4, to be precise). CERB system is plugged into radius via something like this (in radiusd.conf): exec cerb { wait = yes program = "/usr/local/bin/cerbauth.sh freeradius" input_pairs = request output_pairs = reply } Now, I wanted to use those token also for 802.1x authentication for our WiFi network, as it'd be safer than using just regular username/password (which might be too weak) and more convenient than certificates (it happened a couple of times that employees laptop has been stolen). For WiFi, we are using H3C WX30xx Access Controllers, which try to use EAP, which in turn doesn't provide clear-text password that could be used for cerb exec. I'm pretty much stuck - either I got something wrong (Freeradius, WPA, EAP etc. are still quite new for me), or it just can't be done. Anyway, I figured I might just write here and hope that someone at least tell me that everything above is just plain wrong :-) /br Stan
On 03/24/2011 08:37 AM, stasheck wrote:
For WiFi, we are using H3C WX30xx Access Controllers, which try to use EAP, which in turn doesn't provide clear-text password that could be used for cerb exec.
It depends on your EAP methods. EAP-PEAP/MSCHAP (the only useful EAP method built into windows clients) won't work, as you've discovered; there are no plaintext passwords. EAP-TTLS/PAP will work fine, but isn't supported on windows without external software.
2011/3/24 Phil Mayers <p.mayers@imperial.ac.uk>:
On 03/24/2011 08:37 AM, stasheck wrote:
For WiFi, we are using H3C WX30xx Access Controllers, which try to use EAP, which in turn doesn't provide clear-text password that could be used for cerb exec.
It depends on your EAP methods.
EAP-PEAP/MSCHAP (the only useful EAP method built into windows clients) won't work, as you've discovered; there are no plaintext passwords.
EAP-TTLS/PAP will work fine, but isn't supported on windows without external software.
OK, so maybe I should just scratch this idea? So there's another: some time ago I was in a hotel that granted access to it's WiFi network using one-time user/pass combo, issued on a piece of paper at the reception, valid for 24 hours. Could something like this be done with Freeradius? (and yes, I looked on google and freeradius.org, but I don't even have an idea how this auth mode is called, and frankly I'm not even sure it was 802.1x - all I know is that it worked on my laptop with Win7). /br Stan
The hotel authentication is typically not done using 802.1x. Or it's simply a shared password. The other piece is a gateway that typically traps your HTTP traffic and forces another authentication before it will forward your traffic to the outside world. Another EAP combination would be PEAP (any flavor) and GTC. Cisco has that in their supplicant. Their are free EAP supplicants out there for Windows. Cisco has a set for their cards and ACS, but they they do not require Cisco hw. I would strongly look at this package: http://open1x.sourceforge.net/ There is a Windows build of the Linux supplicant http://hostap.epitest.fi/wpa_supplicant/ Juniper sells the former Funk Odyssy Access client that will do TTLS. Dave. Quoting stasheck <stasheck.fora@gmail.com>:
2011/3/24 Phil Mayers <p.mayers@imperial.ac.uk>:
On 03/24/2011 08:37 AM, stasheck wrote:
For WiFi, we are using H3C WX30xx Access Controllers, which try to use EAP, which in turn doesn't provide clear-text password that could be used for cerb exec.
It depends on your EAP methods.
EAP-PEAP/MSCHAP (the only useful EAP method built into windows clients) won't work, as you've discovered; there are no plaintext passwords.
EAP-TTLS/PAP will work fine, but isn't supported on windows without external software.
OK, so maybe I should just scratch this idea? So there's another: some time ago I was in a hotel that granted access to it's WiFi network using one-time user/pass combo, issued on a piece of paper at the reception, valid for 24 hours. Could something like this be done with Freeradius? (and yes, I looked on google and freeradius.org, but I don't even have an idea how this auth mode is called, and frankly I'm not even sure it was 802.1x - all I know is that it worked on my laptop with Win7).
/br Stan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
David Mitton -
Phil Mayers -
stasheck