wpa/wpa2 on logs

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu Oct 15 14:45:51 CEST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 14/10/2009 14:38, Alan Buxey wrote:
> Hi,
> 
>> Hmm, just thought, some vendors may include the information in the RADIUS packet as VSAs (Vendor Specific Attributes).
>>
>> Might be worth running the server in debugging mode (radiusd -X) and see what your wireless controllers
>> are actually sending in Access-Request packets.
>>
>> So although you won't get the info in the EAP Tunnel, you may find it's available in the RADIUS Access-request
>> packets.
> 
> I thought the same thing - so had a quick look at our incoming RADIUS Access-Requests etc...
> and nothing useful buried there - but there again, I havent looked at the other end
> yet to see if there are other options or VSAs that can be used -  we can currently get
> such info from the wireless control system - so that information is being passed from
> the LWAPP/CAPWAP systems to the controller - and a suitable SNMP to the WCS from the
> RADIUS server would allow you to tie the two together (best done out of band!) ..
> this is probably a useful step for any site wondering whether to drop WPA/TKIP
> support for example (for security - move to WPA2/AES) - you'd need to see how
> many non-AES clients you had before the change......
> 
> 

Slightly off topic:

I've seen discussions about this on the Educase list, and it appears
quite a few of our American counterparts have already dropped TKIP...

The problem with trying to do something intelligent like you suggested, is that although many clients
can be made to support WPA2/AES, they don't currently.

For example the Intel 2200B/G Mini-Pci card used in many older laptops doesn't have WPA2 support
in its older 2006 drivers. But a quick run of the Intel driver package and they'll happily connect
to any WPA2-Enterprise network.

Also WPA2 support only made it into Windows XP SP3 (or SP2 with KB KB917021), there are many
unpatched clients out there, who'll connect to your network and select WPA/TKIP even though
the hardware is capable of better.

Until you actually make the switch over, you won't know how many clients really really can't
support WPA2.

- -

We bit the bullet and turned off TKIP support on all Wireless networks at the beginning of September.
So far we've had no real complaints.

Arran
- -- 
Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrXGX8ACgkQcaklux5oVKIvcwCfZ+qvD9A7njXJWYcZW7Lp3Ei4
yrkAn35UiYh3USKnMmianlNoPdUJSJtT
=CPRf
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list