Free RADIUS for WLAN - Problems?

Artur Hecker hecker at enst.fr
Sun Jun 12 20:38:16 CEST 2005 

hi


> - What are differences between "unicast key" and "multicast/global key". 
> If unicast key is used
> for encrypting per-client data and if I have 20 client, does that mean 
> Access Point must hold all

of course, since the communications are encrypted with a different key
per client. otherwise your cell neighbors could read your data.


> 20 per-client unicast key? And if multicast/global key is used for 
> encrypting multicast/broadcast
> traffic, does that mean we have to pre-configure the key in Access Point?

when it gets down to details, then it gets a little bit nasty, since
strictly spoken before 802.11i there wasn't any real standard for that.
talking about 802.11i, the answer is NO. the multicast key is chosen
randomly by the access point for the first client and is delivered to
the client by the access point using a key encryption key for any
subsequent client.


> - Can someone explain me about "4-way handshake" and how a client 
> derives 128-bits key for
> Encryption and 64-bits key for MIC.

yes, the IEEE 802.11i standard. please read the security section or look
on the web for 802.11i 4way handshake. i'm sure you'll find enough
information.


> - I want to authenticate my clients with ComputerName\\UserName and i 
> configured my
> radiusd.conf like below:
>  realm ntdomain {
>    format = prefix
>    delimiter = "\\\\"
>    ignore_default = no
>    ignore_null = no
>   } 
> Is it right? Is it neccessary to care lowercase or upercase in ComputerName?

ahem. i think that you could do it this way, but it is not necessary.
the realms are primarily used for relaying requests to other servers. if
you just want a naming convention, you could probably directly store
these names in a database.


> - And I have a problem with my XP client: after the first successful 
> authentication, when I
> disconnect and reconnect, Instead I must enter my username and password, 
> It automatically
> connect without a login prompt.

you mean with PEAP/MS-CHAPv2? yes, Windows XP stores the credentials in
the registry.

http://support.microsoft.com/default.aspx?scid=kb;en-us;823731


ciao
artur



-- 
Artur Hecker
WaveStorm SARL
WaveStorm Support: support at wave-storm.com
http://www.wave-storm.com

More information about the Freeradius-Users mailing list