From: From: Alan Buxey <A.L.M.Buxey@lboro.ac.uk> Sep 17, 2009 04:28:13 AM, freeradius-users@lists.freeradius.org wrote:
Hi,
I have everything configured for md5 authentication so that I do not need to use either server or client-side certificates. I have my access points configured in /etc/raddb/clients.conf and my users configured in /etc/raddb/users >> >>>> My access point is set to WPA Enterprise security using a RADIUS server.
cool. last time i checked you couldnt use MD5 as a method for wireless 802.1X - there are only certain EAP types that can be used - PEAP, EAP-TLS, EAP-TTLS etc being some of them.
Microsoft has disabled MD5 in recent releases. If you really want to use it, you have to figure out how to reenable it. You can, but that's an exercise for the reader. For WPA wireless encryption, you must use an EAP method that generates encryption keys. MD5 does not. Neither does GTC. If you need to use clear text passwords, the "fix" is to run the method inside of PEAP or TTLS, which will generate keys and protect your passwords in the air.
MD5 is fine for wired because - ha ha - wired 802.1X is a bit of a joke really - all it does is authenticate you, there is no
Um, I don't get the "joke"? How is that different than normal NAS PPP dial-up access that RADIUS was originally designed for? Most people using wired 802.1X only need network access control. Wireless is the special case here. And the encryption only covers the connection between the station and the access point. If you want to protect your data on a physical wire, use a VPN or IPSEC. Dave Mitton.
link layer encryption going on - unlike WPA Enterprise wireless - which all gets encapsulated in an EAP tunnel - hence you need specific types of EAP for wifi ... alan
Thanks Dave! "If you need to use clear text passwords, the "fix" is to run the method inside of PEAP or TTLS, which will generate keys and protect your passwords in the air." So basically if i set in my eap.conf default type to PEAP, how do I do the "fix" you speak of. Also, in using PEAP, which certificates should I edit from the default values? And just do be doubly sure, is this method with the "fix" will still allow clients to connect without having to load a certificate right? Thanks! ---------------------------------------- > Date: Thu, 17 Sep 2009 14:25:34 +0000 > From: david@mitton.com > To: freeradius-users@lists.freeradius.org > Subject: Re: Re: Configuration for md5 not working > > From: From: Alan Buxey > Sep 17, 2009 04:28:13 AM, freeradius-users@lists.freeradius.org wrote: > >>Hi, >> >>> I have everything configured for md5 authentication so that I do not need to >>> use either server or client-side certificates. I have my access points >>> configured in /etc/raddb/clients.conf and my users configured in >>> /etc/raddb/users>>>>>> >> My access point is set to WPA Enterprise security using a RADIUS server. >> >>cool. last time i checked you couldnt use MD5 as a method for wireless 802.1X >>- there are only certain EAP types that can be used - PEAP, EAP-TLS, EAP-TTLS >>etc being some of them. > > Microsoft has disabled MD5 in recent releases. If you really want to use it, you have to figure out how to reenable it. > You can, but that's an exercise for the reader. > > For WPA wireless encryption, you must use an EAP method that generates encryption keys. MD5 does not. Neither does GTC. > If you need to use clear text passwords, the "fix" is to run the method inside of PEAP or TTLS, which will generate keys > and protect your passwords in the air. > >> MD5 is fine for wired because - ha ha - wired 802.1X >>is a bit of a joke really - all it does is authenticate you, there is no > > Um, I don't get the "joke"? How is that different than normal NAS PPP dial-up access that RADIUS was originally designed for? > Most people using wired 802.1X only need network access control. Wireless is the special case here. > And the encryption only covers the connection between the station and the access point. > If you want to protect your data on a physical wire, use a VPN or IPSEC. > > Dave Mitton. > > >>link layer encryption going on - unlike WPA Enterprise wireless - which all gets >>encapsulated in an EAP tunnel - hence you need specific types of EAP for wifi >>... >>alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _________________________________________________________________ Ready for Fall shows? Use Bing to find helpful ratings and reviews on digital tv's. http://www.bing.com/shopping/search?q=digital+tv's&form=MSHNCB&publ=WLHMTAG&crea=TEXT_MSHNCB_Vertical_Shopping_DigitalTVs_1x1
"If you need to use clear text passwords, the "fix" is to run the method inside of PEAP or TTLS, which will generate keys and protect your passwords in the air."
So basically if i set in my eap.conf default type to PEAP, how do I do the "fix" you speak of.
That's irrelevant. You need to set PEAP as authentication protocol on the user machine. Setting it as default on the server you can save one EAP exchange at best but that won't have any influence on what protocol is used. That is negotiated between the supplicant and the NAS. Radius server just processes what was agreed between them.
Also, in using PEAP, which certificates should I edit from the default values?
Read instructions in raddb/certs/README.
And just do be doubly sure, is this method with the "fix" will still allow clients to connect without having to load a certificate right?
Not with self-signed certificates. You can purchace a server certificate from the commercial cert provoder and use their CA but that introduces vulnerability into your network. Ivan Kalik Kalik Informatika ISP
participants (3)
-
David Mitton -
Ivan Kalik -
Jon Standley