EAP-TLS WinXP, default_md MD5, default_eap_type

Wed Jul 11 22:23:53 CEST 2012

Hello,

the MD5 that is used in EAP-MD5 (configured in eap.conf) and the MD5
that is used as a message digest in certificate generation (configured
in the .cnf files you mentioned) have *nothing* to do with each other.

I.e. you can change one without side-effects on the other.

Since there is no EAP-SHA1, it does not make sense to add a sha1 { }
section in eap.conf.

The replacements for MD5 in EAP are things like TTLS, PEAP, TLS, and
others. They are mentioned in eap.conf. If you want to get rid of
EAP-MD5, configure one of those.

Greetings,

Stefan Winter

On 11.07.2012 21:17, Si St wrote:
> The following questions about changing default_md and default_eap_type
> is solely for the matter that I should have RADIUS work on some
> Linux-machines and some Windows-machines all of them hopefully with TLS
> client sertificates mainly.
>
> There are some diversities as to MD5 and post SP1 WinXP:
>
> http://freeradius.org/doc/EAP-MD5.html
> QUOTE:
> Windows XP (before SP1)
>
> Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!!
> EAP-MD5 is only available for wired devices.
>
> Go to the Network Connections window. Right-click the connection
> corresponding to the adapter which is going to use EAP authentication.
> Go to the "Authentication" tab. If it doesn’t appear (yes, it’s weird
> sometimes) try to unplug and plug your adapter till it does (if
> PCMCIA...) Otherwise, download the software for the adapter
> configuration like e.g. ACU for the Cisco adapters and try to de- and
> reactivate the card.
>
> In the Authentication dialog, assure the box "Use IEEE802.1X network
> authentication" is checked. Set your EAP type there (EAP/MD5 Challenge).
>
> That’s all. Now deactivate and reactivate your LAN-connection on this
> adapter and it should work. 
> ENDQUOTE.
>
> This recommendation is put forth in the etc/raddb/certs/README:
> QUOTE:
> MD5 has known weaknesses and is discouraged in favor of SHA1 (see
> http://www.kb.cert.org/vuls/id/836068 for details). If your network
> equipment supports the SHA1 signature algorithm, we recommend that you
> change the "ca.cnf", "server.cnf", and "client.cnf" files to specify
> the use of SHA1 for the certificates. To do this, change the
> 'default_md' entry in those files from 'md5' to 'sha1'.
> ENDQUOTE.
>
> In the eap.conf this is put forth:
> QUOTE:
> #  We do NOT recommend using EAP-MD5 authentication
>                 #  for wireless connections.  It is insecure, and does
>                 #  not provide for dynamic WEP keys.
>                 #
>                 md5 {
>                 }
> ENDQUOTE.
>
> QUESTIONS:
> ->Should I stick only to the changes of default_md in ca.*,server.*, and
> client.cnf and leave the eap.conf unchanged, or should I add a module
> like:
> 		sha1 {
> 		}
> or change the md5{} to sha1{}
>
> or should it be done differently? . I count for the postulate in
> eap.conf that:
> QUOTE:
>           #  If the EAP-Type attribute is set by another module,
>                 #  then that EAP type takes precedence over the
>                 #  default type configured here.
> ENDQUOTE
> and therefore I do no not need to change so much in eap.conf
>
> ->Should I by all means keep winXP-userclient to a PEAP solution because
> the nice doc in:
>
> http://freeradius.org/doc/EAPTLS.pdf
>
> for Windows is outdated or wont work today?
>
> It could be that I complicate the matter here by mixing together parts
> that do not belong to each other, but I have to ask....