"Best" authentication mechanisms for Wi-Fi
Hello list, We're using FreeRADIUS to authenticate users to access our Wi-Fi. It works very well. The thing is : we use a mechanism that works perfectly for Android and Linux (NetworkManager) clients, but some can't access it, due to limitations. I'm thinking of some Windows flavors here. We store our passwords hashed in a MySQL database, and recommend the users to connect using "WPA2 Enterprise (802.11x) using TTLS method and PAP for phase2. Do you think that we could find a more "universal" combination that even "old" Windows clients would be compatible with ? I know that my vocabulary might sound really "newbie", although we've been running the system for quite some years now, and we had set it up using tutorials and some customization. But reading again the config. files, I can see that I might have to look into the specifics on Windows compatibility in eap.conf file. Anyway, in the meantime, if you have some hints on that, I'll be glad to read them. Best !
Hi,
We're using FreeRADIUS to authenticate users to access our Wi-Fi. It works very well. The thing is : we use a mechanism that works perfectly for Android and Linux (NetworkManager) clients, but some can't access it, due to limitations. I'm thinking of some Windows flavors here.
We store our passwords hashed in a MySQL database, and recommend the users to connect using "WPA2 Enterprise (802.11x) using TTLS method and PAP for phase2.
Do you think that we could find a more "universal" combination that even "old" Windows clients would be compatible with ?
In the same newbie language (because I am), you must use EAP/MS-CHAP. This implies that you have your passwords stored in a LMNT compatible way (some flavor of MD4). What I ended with in LDAP is a normal MD5 hashed password for more of the usage and the same password hashed the MS way for Samba and 802.11x (and all the burden to keep the passwords in sync). Best regards, Olivier
I know that my vocabulary might sound really "newbie", although we've been running the system for quite some years now, and we had set it up using tutorials and some customization.
But reading again the config. files, I can see that I might have to look into the specifics on Windows compatibility in eap.conf file.
Anyway, in the meantime, if you have some hints on that, I'll be glad to read them.
Best !
[1/2:application/pgp-signature Show Save:signature.asc (181B)]
[2:text/plain Hide]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Thank you. Le 05/05/2015 11:30, Olivier Nicole a écrit :
In the same newbie language (because I am), you must use EAP/MS-CHAP. This implies that you have your passwords stored in a LMNT compatible way (some flavor of MD4).
What I ended with in LDAP is a normal MD5 hashed password for more of the usage and the same password hashed the MS way for Samba and 802.11x (and all the burden to keep the passwords in sync).
Best regards,
Olivier
Indeed, I would have preferred to keep our current hashing mechanism, that's why I can't really move on to this. And of course, because once the passwords are hashed our way, we can't hash them differently, being unable to have the clear text ones. Cheers.
In the same newbie language (because I am), you must use EAP/MS-CHAP. This implies that you have your passwords stored in a LMNT compatible way (some flavor of MD4).
What I ended with in LDAP is a normal MD5 hashed password for more of the usage and the same password hashed the MS way for Samba and 802.11x (and all the burden to keep the passwords in sync). Indeed, I would have preferred to keep our current hashing mechanism, that's why I can't really move on to this. And of course, because once the passwords are hashed our way, we can't hash them differently, being unable to have the clear text ones.
That is why I have both hashes in the database (ldap). I had to ask the users to change their password once, and the procedure to change the password would update both passwords in parallel. I implemented the dual hash many years ago, new users don't even know about it. Olivier
Cheers.
[1/2:application/pgp-signature Show Save:signature.asc (181B)]
[2:text/plain Hide]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Olivier Nicole wrote:
In the same newbie language (because I am), you must use EAP/MS-CHAP. This implies that you have your passwords stored in a LMNT compatible way (some flavor of MD4).
What I ended with in LDAP is a normal MD5 hashed password for more of the usage and the same password hashed the MS way for Samba and 802.11x (and all the burden to keep the passwords in sync). Indeed, I would have preferred to keep our current hashing mechanism, that's why I can't really move on to this. And of course, because once the passwords are hashed our way, we can't hash them differently, being unable to have the clear text ones.
That is why I have both hashes in the database (ldap). I had to ask the users to change their password once, and the procedure to change the password would update both passwords in parallel.
I implemented the dual hash many years ago, new users don't even know about it.
But bear in mind: With that approach the effective security strength is always that of the weaker hash algorithm. Ciao, Michael.
Hoggins! wrote:
We're using FreeRADIUS to authenticate users to access our Wi-Fi. It works very well. The thing is : we use a mechanism that works perfectly for Android and Linux (NetworkManager) clients, but some can't access it, due to limitations. I'm thinking of some Windows flavors here.
We store our passwords hashed in a MySQL database, and recommend the users to connect using "WPA2 Enterprise (802.11x) using TTLS method and PAP for phase2.
Do you think that we could find a more "universal" combination that even "old" Windows clients would be compatible with ?
I've also been through EAP-TTLS/PAP setup with Windows client the last days using OpenLDAP server as backend also with strong-hashed passwords. I do understand now why hotspot systems work with MAC addresses and authc via obscure web interfaces to make things look convenient for the average user. ;-) My tests with Windows 8 showed that it tries to use NTLM passwords in EAP-TTLS by default. But which route to take very much depends on your security requirements and operational preferences. Could you elaborate on that? Ciao, Michael.
Hello, Le 05/05/2015 11:33, Michael Ströder a écrit :
I've also been through EAP-TTLS/PAP setup with Windows client the last days using OpenLDAP server as backend also with strong-hashed passwords. I do understand now why hotspot systems work with MAC addresses and authc via obscure web interfaces to make things look convenient for the average user. ;-)
My tests with Windows 8 showed that it tries to use NTLM passwords in EAP-TTLS by default.
But which route to take very much depends on your security requirements and operational preferences. Could you elaborate on that?
Actually, it's a simple setup that only requires some security, more than a pre-shared key. The FreeRADIUS server picks up information in a database that is also used for a website : people authenticating on that website can also use the Wi-Fi of our facilities using their website password. It's also easier to revoke people when needed, etc. It's very small (for a student radio in France), and the security requirements are not absolutely vital, but anyway, we know that some of our users have difficulties connecting under Windows. And, of course, no error is ever available on their side to describe the problem.
Ciao, Michael.
Cheers.
On 05/05/15 10:12, Hoggins! wrote:
Do you think that we could find a more "universal" combination that even "old" Windows clients would be compatible with ?
As others have stated: for Windows 7 and earlier, the only built-in username/password auth method is PEAP with MSCHAP inner, which requires NT hashed passwords. The other alternatives are to install software onto those platforms that supports TTLS with PAP, or to use EAP-TLS with client certificates. Both have a deployment burden. There is no easy option here, I'm afraid.
2015-05-05 11:12 GMT+02:00 Hoggins! <hoggins@wheres5.com>:
Hello list,
We're using FreeRADIUS to authenticate users to access our Wi-Fi. It works very well. The thing is : we use a mechanism that works perfectly for Android and Linux (NetworkManager) clients, but some can't access it, due to limitations. I'm thinking of some Windows flavors here.
We store our passwords hashed in a MySQL database, and recommend the users to connect using "WPA2 Enterprise (802.11x) using TTLS method and PAP for phase2.
EAP-TTLS is not supported by Windows 7 or older. However, there is a "driver" for it from SecureW2 which was licensed under GPLv2 until version 4.1.0 (still available on the net) but I don't know if older systems than Windows 7 are supported.
Do you think that we could find a more "universal" combination that even "old" Windows clients would be compatible with ?
What clients do you mean by "old"? If your oldest client is Windows XP you can use PEAPv0/EAP-MSCHAPv2. I don't know if MAC OS supports EAP-MSCHAPv2 (it does support PEAP however) and based on the search results one has to use TTLS-PAP instead. At least Wikipedia states that PEAPv0/EAP-MSCHAPv2 is supported by MAC OS.
2015-05-06 9:47 GMT+02:00 Ben Humpert <ben@an3k.de>:
2015-05-05 11:12 GMT+02:00 Hoggins! <hoggins@wheres5.com>:
Hello list,
We're using FreeRADIUS to authenticate users to access our Wi-Fi. It works very well. The thing is : we use a mechanism that works perfectly for Android and Linux (NetworkManager) clients, but some can't access it, due to limitations. I'm thinking of some Windows flavors here.
We store our passwords hashed in a MySQL database, and recommend the users to connect using "WPA2 Enterprise (802.11x) using TTLS method and PAP for phase2.
EAP-TTLS is not supported by Windows 7 or older. However, there is a "driver" for it from SecureW2 which was licensed under GPLv2 until version 4.1.0 (still available on the net) but I don't know if older systems than Windows 7 are supported.
I just checked the SecureW2 software and actually it is compatible with XP, Vista and 7 and the license allows one to redistribute it. So if you want it I'll send it to you (536 KB zip). This is the same version which is still used (and sometimes provided) by plenty of universities to provide EDUROAM access for their students. If you instead want to buy it go https://www.securew2.com/products/enterpriseclient/ but the latest version doesn't support XP anymore.
participants (5)
-
Ben Humpert -
Hoggins! -
Michael Ströder -
Olivier Nicole -
Phil Mayers