-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ian,
I've seen something like this when doing MAC authentication. It was actually a "feature" of the WinXP/Win2k supplicant which defaults the session time to about 6 seconds! If I explicitly set the session time to be something more useful (1800 seconds is good) then everything was happy. Sorry if this is totally unrelated but I thought it might help. Regards, Guy > -----Original Message----- > From: Ian Pritchard [mailto:[EMAIL PROTECTED] > Sent: 26 September 2003 11:42 > To: [EMAIL PROTECTED] > Subject: WPA w/ EAP-TLS against 0.8.1 > > > > Hi, > > We're running FreeRADIUS version 0.8.1, and have been trying out > authentication using a couple of "WPA-capable" 802.11 APs and > PCMCIA cards > on laptops, with EAP-TLS and certs. > > We've tried a matrix of the following: > > Laptops > - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client > - WinXP > - EAP-TLS certs installed > > PCMCIA cards > - Linksys WPC54G > - SMC2635W > > APs > - Linksys WRT54G > - SMC2804WBR > - Cisco AP340 > > All devices running latest possible drivers. > > Before testing WPA we were running the Cisco AP340 and the > Win2K 802.1x auth > patch, plus XP. > > Running either of the two PCMCIA cards, on either the Win2K > or WinXP laptop, > via the Linksys WRT54G AP, we see behaviour where the AP > initiates access > request to the FreeRADIUS server, the process runs through as > normal, the > access accept is sent to the AP, but it then immediately starts > authentication again, and you run through the whole process > repeatedly, > starting again immediately after the accept is sent. Nothing > seems abnormal > if running FreeRADIUS in debug mode. With the Funk Odyssey > client running on > Win2K the behaviour is the same. > > Using the SMC AP, things are more interesting. The SMC AP's web-based > control interface has a "security" main menu, with 802.1x as > a sub-menu. If > you turn the main security to "WPA/TKIP w/ RADIUS", then the > behaviour is as > with the Linksys above. However, if you turn it to "No > Encryption" (so not > even WEP enabled according to its interface), but leave the > "enable 802.1x" > turned on in the sub-menu, authentication takes place as > normal. The SMC > client card has client manager software, and if you turn on > WPA on the AP, > then the client manager shows a "key" symbol (presumably > denoting some kind > of security) next to the AP, but if you turn off encryption > and leave 802.1x > turned on, the key goes away. > > The Cisco AP doesn't have WPA but will do 802.1x as before. > > We're having trouble reaching a conclusion here (partly because it's > difficult to tell what's happening), and certainly don't > think we've got any > "WPA" AP/client combination working with WPA/Radius. We had > thought that, > from an authentication perspective, there was no difference > between 802.1x > and WPA. > > Has anyone else managed to get WPA APs and clients running against > FreeRADIUS using EAP-TLS? > > > Many thanks, > > > Ian > > _________________________________________________________________ > Help protect your PC. Get a FREE computer virus scan online > from McAfee. > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N 1NaRCSe7TQUC9g9L4sj3gFhS =yiwB -----END PGP SIGNATURE----- >>> 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com <<< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html