wpa/wpa2 on logs
Hi, Is there a way to log if a supplicant is using either wpa or wpa2? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13/10/2009 18:53, Sergio Belkin wrote:
Hi,
Is there a way to log if a supplicant is using either wpa or wpa2?
Thanks in advance!
No. Information about the security association is not contained in EAP authentication attempts. - -- Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrVv0UACgkQcaklux5oVKKXNACffdXicB7mRpyjrIQ5+5SqJwmM PzQAn1uXMepJnoVgxICyJ6BkwzjaeAg3 =uqXs -----END PGP SIGNATURE-----
2009/10/14 Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 13/10/2009 18:53, Sergio Belkin wrote:
Hi,
Is there a way to log if a supplicant is using either wpa or wpa2?
Thanks in advance!
No. Information about the security association is not contained in EAP authentication attempts.
Thanks Arran! At least it's good to know that -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 14/10/2009 13:34, Sergio Belkin wrote:
2009/10/14 Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 13/10/2009 18:53, Sergio Belkin wrote:
Hi,
Is there a way to log if a supplicant is using either wpa or wpa2?
Thanks in advance!
No. Information about the security association is not contained in EAP authentication attempts.
Thanks Arran! At least it's good to know that
Hmm, just thought, some vendors may include the information in the RADIUS packet as VSAs (Vendor Specific Attributes). Might be worth running the server in debugging mode (radiusd -X) and see what your wireless controllers are actually sending in Access-Request packets. So although you won't get the info in the EAP Tunnel, you may find it's available in the RADIUS Access-request packets. Arran - -- Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrVyG0ACgkQcaklux5oVKIPEACfXH4XiM1UDHI1l4bVndmE79Qy 2+wAoJHllySDY05ThkrYaVhEDmyV0076 =mWSt -----END PGP SIGNATURE-----
Hi,
Hmm, just thought, some vendors may include the information in the RADIUS packet as VSAs (Vendor Specific Attributes).
Might be worth running the server in debugging mode (radiusd -X) and see what your wireless controllers are actually sending in Access-Request packets.
So although you won't get the info in the EAP Tunnel, you may find it's available in the RADIUS Access-request packets.
I thought the same thing - so had a quick look at our incoming RADIUS Access-Requests etc... and nothing useful buried there - but there again, I havent looked at the other end yet to see if there are other options or VSAs that can be used - we can currently get such info from the wireless control system - so that information is being passed from the LWAPP/CAPWAP systems to the controller - and a suitable SNMP to the WCS from the RADIUS server would allow you to tie the two together (best done out of band!) .. this is probably a useful step for any site wondering whether to drop WPA/TKIP support for example (for security - move to WPA2/AES) - you'd need to see how many non-AES clients you had before the change...... alan
Our Cisco's can optionally include it in the Accounting packets. It looks like this: Cisco-AVPair = "auth-algo-type=eap-peap" I had to include the following configuration on the AP so it would send it: radius-server vsa send accounting And configure accounting of course. -David Mitchell Alan Buxey wrote:
Hi,
Hmm, just thought, some vendors may include the information in the RADIUS packet as VSAs (Vendor Specific Attributes).
Might be worth running the server in debugging mode (radiusd -X) and see what your wireless controllers are actually sending in Access-Request packets.
So although you won't get the info in the EAP Tunnel, you may find it's available in the RADIUS Access-request packets.
I thought the same thing - so had a quick look at our incoming RADIUS Access-Requests etc... and nothing useful buried there - but there again, I havent looked at the other end yet to see if there are other options or VSAs that can be used - we can currently get such info from the wireless control system - so that information is being passed from the LWAPP/CAPWAP systems to the controller - and a suitable SNMP to the WCS from the RADIUS server would allow you to tie the two together (best done out of band!) .. this is probably a useful step for any site wondering whether to drop WPA/TKIP support for example (for security - move to WPA2/AES) - you'd need to see how many non-AES clients you had before the change......
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
Alan Buxey wrote:
Hi,
Our Cisco's can optionally include it in the Accounting packets. It looks like this:
Cisco-AVPair = "auth-algo-type=eap-peap"
thats just the method - just like MSCHAPv2 is the inner type - this doesnt state the link-layer encryption - ie TKIP or AES
Oops, my mistake. Yeah, I don't see the encryption type in any of my accounting packets. I can view it from the CLI of course, but that doesn't address the original question. -David
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 14/10/2009 14:38, Alan Buxey wrote:
Hi,
Hmm, just thought, some vendors may include the information in the RADIUS packet as VSAs (Vendor Specific Attributes).
Might be worth running the server in debugging mode (radiusd -X) and see what your wireless controllers are actually sending in Access-Request packets.
So although you won't get the info in the EAP Tunnel, you may find it's available in the RADIUS Access-request packets.
I thought the same thing - so had a quick look at our incoming RADIUS Access-Requests etc... and nothing useful buried there - but there again, I havent looked at the other end yet to see if there are other options or VSAs that can be used - we can currently get such info from the wireless control system - so that information is being passed from the LWAPP/CAPWAP systems to the controller - and a suitable SNMP to the WCS from the RADIUS server would allow you to tie the two together (best done out of band!) .. this is probably a useful step for any site wondering whether to drop WPA/TKIP support for example (for security - move to WPA2/AES) - you'd need to see how many non-AES clients you had before the change......
Slightly off topic: I've seen discussions about this on the Educase list, and it appears quite a few of our American counterparts have already dropped TKIP... The problem with trying to do something intelligent like you suggested, is that although many clients can be made to support WPA2/AES, they don't currently. For example the Intel 2200B/G Mini-Pci card used in many older laptops doesn't have WPA2 support in its older 2006 drivers. But a quick run of the Intel driver package and they'll happily connect to any WPA2-Enterprise network. Also WPA2 support only made it into Windows XP SP3 (or SP2 with KB KB917021), there are many unpatched clients out there, who'll connect to your network and select WPA/TKIP even though the hardware is capable of better. Until you actually make the switch over, you won't know how many clients really really can't support WPA2. - - We bit the bullet and turned off TKIP support on all Wireless networks at the beginning of September. So far we've had no real complaints. Arran - -- Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrXGX8ACgkQcaklux5oVKIvcwCfZ+qvD9A7njXJWYcZW7Lp3Ei4 yrkAn35UiYh3USKnMmianlNoPdUJSJtT =CPRf -----END PGP SIGNATURE-----
participants (4)
-
Alan Buxey -
Arran Cudbard-Bell -
David Mitchell -
Sergio Belkin