-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan,
In response to your question the "better method" would be to direct you (and anyone else wondering about the differences between PEAP and TTLS) to read the following web page: http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html There is a good writeup on the subject and a table showing the differences.. The short answer about a client certificate - it is optional in PEAP as it is in TTLS... Hope this sheds some light on the subject for you - I would have answered directly but the web page did it so much better than I could!!! Gary N. McKinney - ----- Original Message ----- From: "Alan Russell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 02, 2004 11:01 AM Subject: Re: Alan > ----- Original Message ----- > From: "Gary McKinney" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, April 01, 2004 10:12 PM > Subject: Re: Alan > > > > Hi Alan, > > > > Basically: > > > > When you have a client machine that is connecting to a NAS using > > EAP/TLS and variations thereof the encrypted path is ONLY between > > the client > machine > > and the NAS (be it wired or wireless). > > > > The Radius server provides the inital encryption path between the > > client machine > > and the radius server only during the > > authentication/authorization phase > of > > the > > connection process. The radius server uses the TLS side of the > > connection for > > the authorization transactions once the TLS tunnel is established > > and creditials > > have been verified (by virtue of the security certificates both > > the radius server > > and client machine have installed) ... > > with TTLS only the radius server has a certificate and the > > encryption > phase > > is > > handled by a certificate generated on the radius server to that > > specific session - > > once validated the NAS and the client machine receive an > > encryption key to use > > during the connection session (and the key is renewed with a new > > key for > the > > NAS and client machine every so often - 300 seconds I think is > > the default setting in FreeRadius's configuration file).... > > > > If you need encryption from the client machine to a distant > > server/workstation > > the you will need to implement some additional encryption > > mechanism > between > > those end-points as the PEAP/TLS session is ONLY between the NAS > > and client machine connecting to the NAS... > > > > I hope this helps.... > > > > Gary N. McKinney > > > > Gary, > > Thanks for the help. With my PEAP/TLS implementation (which > appears to be working) my client machine, which is running win XP > sp1, asks me for credientials eg. username/password, and if the > user exists in the users file then I will be authenticated. > However, I never installed the openssl generated certificate on the > client side. In my eap.conf file: > eap { > default_eap_type = peap > etc...... > } > > all tls info is correct, and > > peap { > default_eap_type=mschapv2 > } > > Is the client side cert. automatically accepted? Also, I have wep > key is provided for me checked on my XP machine and everything > still functions fine. Is the freeradius server providing a wep key > to the client machine? > > Thanks, > Alan > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html --- > [This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > - --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.648 / Virus Database: 415 - Release Date: 4/1/2004 -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 iQA/AwUBQG4BjMKDDsnjo4LnEQK/MwCgkhU34CcdTuAau3ddFRiGdXiAdjwAn1PR wFlAlgiwnXQ96uXNUPl9Ch06 =/Wjd -----END PGP SIGNATURE----- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.648 / Virus Database: 415 - Release Date: 4/1/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
