Best Authentication Method for Various Supplicant
alex at digriz.org.uk
Fri Sep 3 22:42:36 CEST 2010
homyang cha <homyang4u at gmail.com> wrote:
> Now my issues are: in my networks there are various kinds of OS
> running for supplicants. To name a few are Windows XP (SP2, SP3),
> Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have
> to configure AAA applicants systems in such a way all this systems are
> supported. Can someone help me suggest or have any idea/experience on
> this. What could be the best authentiation method that I can use so
> that all this supplicants using different OS are supported. Also I use
> wired connection as well as wireless connection in the network. Does
> anybody throw some light on this matter?
Here is a summary of my five years of experience being a network
analyst at a UK university... :) Mac OS X and Linux are really trivial
and it is hard to write much about them, it is Microsoft that
unsurprisingly once again excel at causing us so much pain.
For Windows XP/Vista/Win7 you have two options:
* TTLS - involves purchasing SecureW2
PEAP might seem appealing as it is built into Windows, however by the
sounds of things all the workstations connecting are not part of your
Microsoft AD (like ours) and so you cannot push out a group policy
autoconfiguring everyones equipment. This means you (or rather your
helldesk minions) have to manually configure every workstation by hand
which can lead to corners being cut (skipping certificate validation)
Until recently there was no way to avoid this nasty choice of either AD
importing or manual configuration. Fortunately, one of my counterparts
working also in academentia put together a collection of scripts/tools
and called it SU1X that lets you autoconfigure PEAP behind a single
TTLS with SecureW2 is the other option and from day let you pre-seed the
configuration so that everything got configured plus the handy popups
and full customisation can be a nice touch if that sort of thing floats
your boat, or rather your boss's. Of course, SecureW2 comes with a
price tag, we personally think a *very* good one when you think of the
money in hours saved in your helpdesk team costs. Things get even
better when you wrap the lot up in a NSIS script like we have.
There is actually a technical reason that might force you to choose
between PEAP and TTLS which boils down to how your passwords were stored
in your backend database. If you have an LDAP backend only (where the
plaintext password is not extractable) then TTLS/PAP is really your
*only* option. If you have a Microsoft AD backend for your user
accounts, then you can use PEAP/MS-CHAPv2 (or TTLS/MS-CHAPv2).
Originally we only had an LDAP backend database, but then 'upgraded' to
using Novell's Universal Password so now we no longer have the TTLS
constraint and can now offer TTLS/MS-CHAPv2 (but we actually choose
*not* to offer PEAP).
So, why pick one or the other, technical reasons only. SecureW2 handles
certificate chaining a *lot* better than the PEAP and due to it's
commercial nature it's hard for the helpdesk to cut corners and *not*
use your official hand crafted blessed installer as they cannot source
their own copy. PEAP however will offer you Statement of Health;
speaking to the SecureW2 author though he is keen to work on adding
support for this. One other win for SecureW2 is you get GTC support
too, so you can do fancy things like use one time passwords (the
changing key is generated by your mobile phone) which works nicely too;
well it would work nicely if Alan accepted trivial patches to the GTC
FreeRADIUS module (along with the LDAP one I posted...) </rant>
Lucky for you SU1X is free to play with and you can also get a fully
enabled trial for free of SecureW2 (man, I must sound like a sales
droid). Play with both and decide what you prefer.
As for the Mac OS X weenies I noticed as soon as I enabled
TTLS/MS-CHAPv2 they (including the iPhones, iPads and iPods) started to
automatically configure themselves. No idea what they are like when
confronted with PEAP but they would not autoconfigure TTLS/PAP :-/
The Linux users, well we are fine, you can see what we do destructions
wise on our support website. One of our students is slowly getting
around to testing amendments I suggested to the Wicd template that
should improve things further; I myself am a Debian wpa_supplicant kinda
As for your last question regarding simulateous wired and wireless
access, look around the Internet and read up about 'routing metrics'.
In short, make your wifi link have a higher (lower priority) routing
metric; although this overlooks source based routing issues but that is
not a FreeRADIUS problem or an issue that should be discussed here.
If you have any more questions then do ask.
 I strongly recommend you just say no to SP2, hell Microsoft will no
longer support it so why should you. However, if you insist on
punishing yourself make sure you force an install of
KB917021. Really you should make a condition of getting
onto the wifi/wired 802.1X network that the user has to update
to the latest service pack
.sigmonster says: Massachusetts has the best politicians money can buy.
More information about the Freeradius-Users