I don't know. That does have me concerned about my test AP...
On May 25, 2004, at 6:56 AM, Chris Bshaw wrote:
Hi Bob.....
I **think** I might have it working now.
I just added to the original config the following lines:
encryption vlan 90 key 1 size 128bit 7 CE78330C1A841439656A9323F25A transmit-key
encryption vlan 90 mode ciphers wep128
I read thru some examples on the cisco website (mostly for LEAP rather than EAP) and they mentioned creating an initial broadcast key.
Now I can connect my client PC, and all the traffic in kismet appears encrypted. If I open a kismet dump in ethereal, it also appears encryped and all I see is MAC addresses....no IP addresses....is this what I should see if I have not decrypted the traffic?
I know I am being pedantic, but if I initialise the broadcast key as above, and then use broadcast key rotation, (which I am) am I correct in saying that this means that once the broadcast key rotation time limit is reached a new broadcast key is generated which is different from the initial one?
If so, I presume this means that when the unit is switched on, it will always have the same initial key....(i.e. it doesn't in some way remember the last one used?)?
Thanx for all your help.
Chris.
From: Bob McCormick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Mon, 24 May 2004 14:25:31 -0600
I honestly don't know, but I'd love to find out.
Three things I can think of to try...
1) You should be able to specify a vlan for your cypher suite, something like this " encryption vlan mode 90 mode ciphers wep128" You might see if that makes any difference
2) You could try using "encryption mode web mandatory" instead of ciphers.
3) You could try upgrading to the latest IOS version for your AP, and/or open a TAC case.
On May 24, 2004, at 1:55 PM, Chris Bshaw wrote:
Hi Bob....
Config attached.
Also, I should mention the config of the client. I am using a NetGear WG511 802.11g card. I don't have any security features enabled on the utility which comes with the WG511 (no WEP, WPA etc) and there are no options for EAP on this utility.....
I enabled all the EAP stuff via the Authentication tab on the Properties of the interface under Start -> Network and Dialup connections in Windoze.
Under there I have the following set:
Enable network control using IEEE 802.1x
EAP Type: Smart Card or other Certificate
Use a certificate on this computer
....and I select the certificate generated on my freeradius server. This is more or less what is described under http://www.freeradius.org/doc/EAPTLS.pdf.
There is a method in this doc for debugging EAP on the Cisco AP, which I had not noticed before.....I'll try this tomorrow.
Finally, just in case you might not remember from my previous emails, I was (and I think still am) able to see EAPOL packets on my wireless client when I ran ethereal on the wireless interface.
Thanx in advance for your help.
Chris.
_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
<ap-confg>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
