interface Dot11Radio0
no ip address
no ip route-cache
! ##### Require wep128 encryption
encryption mode ciphers wep128
! ##### rotate broadcast wep key every 10 minutes
broadcast-key change 600
! ##### Create an SSID named "ssid1"
! ##### Require EAP authentication
! ##### broadcast the SSID
ssid ssid1
authentication open eap eap_methods
guest-mode
! ###### set the data rates support and/or required by the AP
! ###### These are the rates recommended by Cisco for best throughput
! ###### for supporting both 802.11.b and 802.11g
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
You'll also need to configure the AP to honor the Session-Timeout value returned by the Radius server (by default, Cisco AP's don't).
! ###### Tell the AP to honor the Session-Timeout returned by the Radius server
dot1x reauth-period server
On May 20, 2004, at 3:28 AM, Chris Bshaw wrote:
Hi Andrea....
Thanx for the reply. Using ethereal I can see the EAPOL packets on the wireless client.
However, if I go into the status monitor for the wireless card, its says security = none (would normally say security = wep if I was using static non-EAP/TLS wep).
Also, as I mentioned below, the Cisco AP also says that the client is 'EAP-associated' but that Encryption is off.
However, everything works.....I am connected to the WLAN just fine.....I am just unsure whether or not my connection is encrypted with a WEP key.
I have read some more on this. I am not sure if I understand this correctly....so feel free to correct me. Once the mutual authentication is complete via EAP, the AP maintains per-client WEP keys which are generated once per 1x auth (and can be regenerated after some period of time, e.g. 1 hr) and a broadcast WEP key which is the same across clients (also can be regenerated after some period of time.)
So it seems that the AP is responsible for the WEP keys and their rotation......correct?
If so, I currently have WEP encrypyion disabled on my AP, and on my client. I had assumed that EAP-TLS took care of everything.
How do you have your client and hostapd configured? Do you have WEP enabled?
If so, since the keys are generated dynamically, do you just leave the WEP key fields on the client and AP blank?
Thanx in advance
Chris Bradshaw
From: "Andrea G. Forte" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Wed, 19 May 2004 17:25:12 -0400 (EDT)
Chris,
the whole purpose of 802.1x is to generate a secure auth mechanism and
dynamic re-keying. I have used hostapd together with freeradius and the
key generation as well as the re-keying are automatic. You can set the
re-keying interval as well.
I am not familiar with your setup, but a way to find out, would be to
sniff the traffic and look for EAPOL-Key frames which are exchanged at the
end of the auth process.
Hope this can help. Andrea
On Wed, 19 May 2004, Chris Bshaw wrote:
> Hi....
>
> I have created the following setup:
>
> W2K 802.1x supplicant client with NetGear WG511 card
> Cisco Aironet 1200 AP
> RH9 Linux server with a cvs download of freeradius
>
> As per the many docs on the subject, I have successfully setup
> EAP-TLS.....however, I can't tell if WEP keys are being generated.
>
> When I look on the web admin page of the Aironet 1200 the associations list
> says that my W2K client is EAP-associated (so that works OK) but Encryption
> is marked as 'none'.
>
> ....and I have looked in the radiusd logs but can't work out whether WEP
> keys are being generated. I know that the session key is used to generate
> the keys, so perhaps something in the logs (without the word WEP in it) is
> responsible for WEP key generation.
>
> I thought that if you used EAP-TLS then you automatically got WEP keys
> generated....? Is this true?
> If so how can I confirm that this is happening (other than trying to sniff
> the traffic off the air to see if it is encrypted ;-)...
>
> If this isn't true, does this mean that it is possible to use EAP-TLS
> without WEP key generation?
>
> If so, are there extra steps I need to follow to activate WEP key generation
> as part of EAP-TLS?
>
> Sorry if some of these questions seem a bit strange....I am a bit new to
> 802.1x and EAP....
>
> Thanx in advance for any help.
>
> Chris Bradshaw
>
> _________________________________________________________________
> Help STOP SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
