On Thu, 29 Jul 2004, Christophe Boyanique wrote:
> Hello,
>
> I want to secure a wireless network (operated with Cisco Aironet 1200
> aps) via freeradius connected to an OpenLDAP server; with clients
> running Windows 2000, Windows XP and Mac OS-X (>= 10.2).
>
> I saw that EAP-MD5 is no recommended (and not supported by Windows XP
> since SP1).
>
> EAP-TLS is not a choice as there is no LDAP interaction from what I've
> read on this mailing-list and other places.
Depends on what you mean by LDAP interaction. You can still use LDAP to
*authorize* the user. EAP-TLS just does certificate authentication so there's
not much LDAP interaction involved (apart from probably verifying the supplied
user certificate through LDAP, though that's not currently supported)
>
> The best choice seems to be EAP-TTLS as it is supported by freeradius
> and the selected clients. But I have some questions about the protocol
> to use inside the TLS tunnel.
>
> It seems that EAP-MD5 is not possible as passwords are stored in {CRYPT}
> format in the LDAP.
> I tried the EAP-MD5+LDAP feature and it works indeed with clear
> passwords. I was wondering if it would be possible to patch the eap-md5
> module to crypt the password sent by the supplicant before comparing it
> with the one from the LDAP ?
Please read the CHAP/EAP-MD5 specification. That's not how the protocol works.
You *need* clear text passwords for EAP-MD5 to work.
>
> I read some things about using PAP inside EAP-TTLS. It seems that
> {CRYPT} passwords work with PAP as I see there is an encryption_scheme
> parameter for PAP.
You can also use the ldap module for authentication instead of the pap module
(authentication through an ldap bind request).
>
> But will PAP be supported by supplicants running on Windows and Mac OS-X ?
If you are going to use EAP-TTLS you must use the SecureW2 client since windows
do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no
idea about MacOS X though since it's a unix flavor maybe Xsupplicant can work on
it (Xsupplicant supports EAP-TTLS).
>
>
> Thank you for your help,
>
> Christophe.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
