i think you have to pay thousands to enter the "open" industry alliance, namely the wifi alliance (www.wifialliance.com). they are responsible for WPA and they have some "white papers" on this matter on their site. however, it does NOT go very deep.
regarding jeremy's remark about TKIP, key rotation, MIC and 802.1X i would agree that WPA is kind of sum of these loosely coupled features. WPA is also a roadmap from local WEP to centralized authentication with AES encryption, however it aims to be interoperational and thus does not enforce AES for the beginning. i would say, what Cisco does is more or less WPA.
there are some good points though. the problem with all this WEP and 802.1X interconnect is as always the interfacing. you will find documents and standards on EAP, EAP-subtypes, RADIUS and 802.1X (i.e. basically EAPOL). however, there are no _standards_ on HOW a central radius server gives the key material to the AP (which radius attributes and which format), what this key material is exactly derived from (since that would depend on the used EAP method) on supplicant and radius and how, by whom, when and how often a reauthentication should be triggered.
imho, that is something to be standardized by WPA but as i said earlier, you'll hardly get access to the documents...
ciao artur
Ian Pritchard wrote:
Hi Alan,
From: "Alan DeKok" <[EMAIL PROTECTED]>
Subject: Re: WPA w/ EAP-TLS against 0.8.1 Date: Thu, 02 Oct 2003 22:52:50 -0400
"Ian Pritchard" <[EMAIL PROTECTED]> wrote:
> I've read the responses to this and to the TLS/TTLS thread... tried to find
> somewhere in the Funk client where I might be able to control some kind of
> reauthentication interval (there's a setting on the AP), but no luck there
> unfortunately.
It's set by the RADIUS server, via Session-Timeout.
Yeah, got that one, but just wondered if there was also something in the supplicant to do this independently, other than resetting the connection or pulling the PCMCIA card out of the laptop....
> Given that WPA is "the 802.11 security protocol suite of the > future", I guess it might be quite important.... regardless of which > EAP flavour is used... ;-)
Many EAP methods such as LEAP, TLS, and TTLS include dynamic WEP keys. That would appear to be incompatible with WPA.
Okay, that's interesting. My impression was that WPA w/RADIUS was supposed to be fully retro-compatible with 802.1x (at least in terms of EAP flavours and the way they operate). Does anyone know where WPA is actually defined? I mean, is there a definition document widely available? Does it go down to a technical level? Or do you have to pay thousands to join an "open" industry forum to have access to the standard? Also, if the WPA standard includes RADIUS authentication, what does it mean by "RADIUS" - whose RADIUS servers have been tested?
Jeremy, interesting what you said about your Cisco AP 1200 - I think the implementation there is "802.1x" and not WPA, right? The SMC AP we tried seemed to be the same - when you turn on "WPA w/TKIP" it didn't work against for our supplicants against FreeRADIUS, but when you just turned on "802.1x authentication" it worked fine.
So, if dynamic WEP is incompatible with WPA, is that the fault of (and should the fix happen on) the EAP method, the AP, the supplicant or FreeRADIUS?
Thanks,
Ian
_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
