EAP-TLS WinXP, default_md MD5, default_eap_type

Wed Jul 11 21:17:26 CEST 2012

The following questions about changing default_md and default_eap_type
is solely for the matter that I should have RADIUS work on some
Linux-machines and some Windows-machines all of them hopefully with TLS
client sertificates mainly.

There are some diversities as to MD5 and post SP1 WinXP:

http://freeradius.org/doc/EAP-MD5.html
QUOTE:
Windows XP (before SP1)

Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!!
EAP-MD5 is only available for wired devices.

Go to the Network Connections window. Right-click the connection
corresponding to the adapter which is going to use EAP authentication.
Go to the "Authentication" tab. If it doesn’t appear (yes, it’s weird
sometimes) try to unplug and plug your adapter till it does (if
PCMCIA...) Otherwise, download the software for the adapter
configuration like e.g. ACU for the Cisco adapters and try to de- and
reactivate the card.

In the Authentication dialog, assure the box "Use IEEE802.1X network
authentication" is checked. Set your EAP type there (EAP/MD5 Challenge).

That’s all. Now deactivate and reactivate your LAN-connection on this
adapter and it should work. 
ENDQUOTE.

This recommendation is put forth in the etc/raddb/certs/README:
QUOTE:
MD5 has known weaknesses and is discouraged in favor of SHA1 (see
http://www.kb.cert.org/vuls/id/836068 for details). If your network
equipment supports the SHA1 signature algorithm, we recommend that you
change the "ca.cnf", "server.cnf", and "client.cnf" files to specify
the use of SHA1 for the certificates. To do this, change the
'default_md' entry in those files from 'md5' to 'sha1'.
ENDQUOTE.

In the eap.conf this is put forth:
QUOTE:
#  We do NOT recommend using EAP-MD5 authentication
                #  for wireless connections.  It is insecure, and does
                #  not provide for dynamic WEP keys.
                #
                md5 {
                }
ENDQUOTE.

QUESTIONS:
->Should I stick only to the changes of default_md in ca.*,server.*, and
client.cnf and leave the eap.conf unchanged, or should I add a module
like:
		sha1 {
		}
or change the md5{} to sha1{}

or should it be done differently? . I count for the postulate in
eap.conf that:
QUOTE:
          #  If the EAP-Type attribute is set by another module,
                #  then that EAP type takes precedence over the
                #  default type configured here.
ENDQUOTE
and therefore I do no not need to change so much in eap.conf

->Should I by all means keep winXP-userclient to a PEAP solution because
the nice doc in:

http://freeradius.org/doc/EAPTLS.pdf

for Windows is outdated or wont work today?

It could be that I complicate the matter here by mixing together parts
that do not belong to each other, but I have to ask....
-- 
  Si St
  sigbj-st at operamail.com

-- 
http://www.fastmail.fm - The professional email service