RE: does freeradius 0.8.1 support EAP/TLS and MPPE dynamic keying?

[Lars Viklund]

> From: Jason Jin [mailto:[EMAIL PROTECTED]] 
> Sent: den 3 februari 2003 18:26
> To: [EMAIL PROTECTED]
> Subject: RE: does freeradius 0.8.1 support EAP/TLS and MPPE 
> dynamic keying?
> 
> 
> hi,all
> 
> I'm trying to setup freeradius EAP/TLS + MPPE for windows XP 
> wireless client. I'm followiong the Raymond MAkay's How to 
> article at http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
> 
> the document state that it need CVS version of freeradius ( 
> as of 10/30/02). Is this still the case?  or can I use the 
> freeradius 0.8.1 release. 

0.8.0 or later should be ok.
 
> ALso , the document need to have there verison of openssl 
> installed 0.9.6g,0.9.7-bneta-3 and SANP-20021027,  will a 
> sigle stable 
> openssl 0.9.7 release work? 

I would guess it does, but I'm not sure.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Radius rekeying

[Lars Viklund]

> From: Jianping Jiang [mailto:[EMAIL PROTECTED]] 
> Sent: den 31 januari 2003 20:49
> To: [EMAIL PROTECTED]
> Subject: Radius rekeying
> 
> 
> All,
> 
> I just started using FreeRadius. 
> I am using the freeradius server (along with openssl)
> on a linux PC, a cisco access point, and a wireless
> LAN client card to run 802.1x and EAP/TLS. I would
> like the radius server to do rekeying (of the unicast
> key) say every 20 minutes. I have looked in the config
> files of freeradius, but didn't find anyway to do
> this. Does anybody know how to set the server to do
> rekeying?

Your confused. The RADIUS server doesn't do rekeying, the AP does.

--
Lars Viklund
Expert Software Engineer
Embedded Platforms
Axis Communications AB

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PEAP support

[Lars Viklund]

> From: Paul Wang [mailto:[EMAIL PROTECTED]] 
> Sent: den 20 december 2002 19:48
> To: Freeradius-Users@Lists. Cistron. Nl
> Subject: PEAP support
> 
> 
> Lars,
> 
>   I got stuck at part-II. After the server send the first 
> packet (Request for Identity, after confirm with Microsoft it 
> is one byte of value 1) in the TLS channel, there is no 
> response from XP client. Any chance you might look into this 
> in near future such that we might team up together to work 
> this out? or someone else might be interested in tackling 
> this? Thanks.

Hi,

I apologize for not answering earlier. I've been on vacation and busy with other stuff.

We are interested in working with you on this, although we cannot spent a lot of time 
on it. If you send us you code we will take at look at it next week and see if we can 
provide any help.

--
Lars Viklund
Expert Software Engineer
Embedded Platforms
Axis Communications AB

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PEAP support

[Lars Viklund]

> From: Ynjiun P. Wang [mailto:[EMAIL PROTECTED]] 
> Sent: den 12 december 2002 00:51
> To: Freeradius-Users@Lists. Cistron. Nl
> Subject: PEAP support
> 
> 
> Lars
> 
>   I am using the EAP-TLS code base and tweek it to work 
> up to the point of finishing PEAP Part I. Now XP can talk to 
> my prototype up to the Part I. 

Cool!

> Now I am getting into the Part 
> II to send EAP packet under TLS tunnel. Could you suggest 
> where to add the Part II code given the EAP-TLS code base? 
> and how to bootstrap EAP code assuming everything recursively 
> happening again? 

Sorry, I haven't had time to look closely at this. However, obviously you would like 
to hook into the rlm_eap module to be able to reuse the existing EAP machinery. I 
suspect you'll have to modify this module slightly to allow this.

> (PEAP is actually EAP-TLS-EAP, am I right?)

I guess you could say that it is EAP-TLS-EAP-X, where X is any EAP method.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Security flaw in EAP/TLS

[Lars Viklund]

> From: Klaus Heck [mailto:[EMAIL PROTECTED]] 
> Sent: den 11 december 2002 13:06
> To: [EMAIL PROTECTED]
> Subject: Security flaw in EAP/TLS
> 
> 
> I'm using EAP/TLS authentication with a aironet 350 ap and 
> win2k client.
> 
> The win2k client (as the nt client) allow to specify a login 
> name different from the name within the certificate. Now, the 
> user name in the cert is used for auth but the (different) 
> login name is stored in the UserName attribute of my 
> accounting table (MySql). If I know a valid user other than 
> me, I can log in with my cert but let the other one pay for 
> it. 

Yes, this was discussed on this list a couple of weeks ago:

http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg11193.html

> Is there a way to make sure that the user name and the 
> login name are the same?

Sure, but you will have to add code to the rlm_eap_tls module.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAPv1 does not encrypt MPPE keys

[Lars Viklund]

On Tue, 2002-12-10 at 21:46, Martin Gadbois wrote:
> I found that freeradius-0.8 does not encrypt the MS-CHAPv1 MPPE keys as specified by 
>RFC 2548 sec.
> 2.4.1.
> In fact, that code was commented out.

If you read the CVS log you will notice that this is becuase the
encryption now is handled in radius.c.

If your FreeRADIUS installation doesn't encrypt the MS-CHAP-MPPE-Keys
attribute this is probably because you have an old version of
dictionary.microsoft installed.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP

[Lars Viklund]

On Wed, 2002-12-04 at 21:20, Freerk Bosscha wrote:
> I wants to setup a radiusserver with an LDAP server behind it for its
> userid/password checking for installing 802.1x on my cisco wireless
> lan.
> 
> My question is: is freeradius 0.8+ supporting PEAP 

No, not yet anyway.

> Is it possible, and how do I need to configure it, to authenticate NT
> / XP users.

Yes, but you will have to use EAP-TLS instead of PEAP, i.e. you will
have to authenticate using certificates. See the mailing list archive.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SSL_read Error: EAP-TLS

[Lars Viklund]

> From: Nikhil Chauhan [mailto:[EMAIL PROTECTED]] 

> In addition to the earlier email, I would like to ask
> the developers if we want to call SSL_read() function
> once more if the result error code is
> SSL_ERROR_WANT_READ.

No. It won't do you any good because there isn't any more data in the input buffer yet.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SSL_read Error: EAP-TLS

[Lars Viklund]

> Dug inside some of the freeRADIUS code. The function
> SSL_get_error() gets called which returns error code,
> if any. These error codes are defined within the 
> openssl source code.

[...]

> any inputs on how you resolved the issue???

With regards to the SSL_ERROR_WANT_READ errors I'm fairly sure you can just safely 
ignore these as the comment in src/modules/rlm_eap/types/rlm_eap_tls/tls.c suggests. 
The reason the EAP-TLS module get these errors from OpenSSL is probably that the 
OpenSSL code assumes that it reads from a blocking stream. We should probably remove 
the logging of these error messages to avoid confusion.

The SSL_ERROR_SYSCALL errors you get later on in your log I'm not sure about. I don't 
remember if I've seen these before.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free 802.1X supplicant software for Win2K?

[Lars Viklund]

On Tue, 2002-11-26 at 07:57, Jeffery Huang wrote:
> Do you try to use xsupplicant under cygwin?
> Maybe it's a solution!

No, xsupplicant doesn't support EAP-MD5, only EAP-TLS.

> 在 週二, 2002-11-26 12:08, Sarick 寫道：
> > Do you (anyone) know is there free 802.1x win2000 supplicant software
> > supporting EAP-MD5?



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP support

[Lars Viklund]

On Mon, 2002-11-25 at 20:34, Ynjiun P. Wang wrote:
> Is http://www.ietf.org/internet-drafts/draft-kamath-pppext-peapv0-00.txt the latest 
>draft for PEAP? 

That draft apparently describes the differences between
draft-josefsson-pppext-eap-tls-eap-02.html and what Windows XP SP1
implements ("PEAP Version 0").



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP support

[Lars Viklund]

On Sun, 2002-11-24 at 05:24, Artur Hecker wrote:
> i don't know if you are really interested in it, but PEAP [2]
> ("protected EAP") is another MS-Cisco invention (built in in Windows XP
> SP1 instead of EAP/MD5 as kind of alternative for EAP/TLS). Nobody seems
> to know so far how it works but 

The basic idea is to run TLS inside EAP and then EAP again within the
TLS session. Thus it is fairly similar to EAP-TTLS and seems to give
about the same advantages (support for legacy authentication methods,
protection of the identity, etc.).

The ID you reference (-05 is the latest version) should be sufficient to
implement it.

> it probably gives mutual out and key
> negotiation

Yes.

> [2]
> http://www.globecom.net/ietf/draft/draft-josefsson-pppext-eap-tls-eap-02.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 20 november 2002 19:16
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute? (to Artur and lars)

>  > If the realm is stripped away, wouldn't this work just 
> fine as long  > as you just verify the User-Name against the 
> certificate and ignore  > the EAP identity?
> 
> e.g., but then you propose to not verify the equality of all 
> THREE fields.

Yes. As we have discussed the important point is to verify that the User-Name used for 
authorization (and accounting) corresponds to the certificate used for authentication. 
The EAP identity shouldn't really matter if the User-Name is used directly for this 
verification. 

I think verifying that the User-Name matches the EAP identity is more of a sanity 
check that can be ignored, without affecting security, if that simplifies the 
scenarios you are thinking about.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> Sent: den 20 november 2002 17:15
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute? (to Artur and lars)

> i agree with that too, but why does this box exist in Windows then? i
> personally tend to think (and so I used it in that way some 
> times during 
> the test phase), that it exists in order to add a realm to the name.

I think the primary purpose is to allow the user to select a certificate other than 
the one associated with the currently logged in windows user. This makes perfect 
sense. 

The option to specify an EAP identity other than the one that corresponds to the 
certificate only seems to makes sense in some environments, for instance if you assume 
that all clients with valid certificates are implicitly authorized.

> an example: when you are certifying users in your closed domain, you
> could have certified users like "lars", "artur", etc., why not, it's 
> your domain, so you don't care.

Using such names in the certificates is obviously a bad idea :-)

> then, one day, you expand and your
> domain gets a second part, with a complete another 
> architecture. so, you 
> would like the radius server in the second part simply forward the 
> request to the original domain, right? (you bet that 
> re-certification is 
> NOT wanted). so with the current approach, you simply type in windows 
> XP: use another name for this connection: windows proposes 
> "artur", you 
> add "@old_site" or something similiar and here we go, the 
> radius server 
> forwards to the old site and everything works (with the new server 
> stripping the realm away, e.g. or having reconfigured the server at 
> old_site).
> 
> if you verify that, then you have a problem. it won't work.

If the realm is stripped away, wouldn't this work just fine as long as you just verify 
the User-Name against the certificate and ignore the EAP identity?

> i would tend to think, that the certificate has to be seen as the
> authentication method and the only reliable information. now 
> of course 

Yes.

> you are right that is has to be bound to the User-Name, since the
> authorization happens with that one later... 

Yes.

> perhaps we have
> to define 
> rules for equality of User-Name and the certified identity. one 
> reasonable way for equality would be to take into consideration the 
> defined realms and suffixes in the radius.conf (proxy.conf).

Maybe.

> i.e., if e.g. in the radius.conf you've defined a suffix "@", and a
> realm "old_site1", then freeradius should consider the 
> certified "kevin" 
> and the User-Name "kevin@old_site1" as being the same, except 
> of course 
> it knows "kevin" locally. just an idea, which probably has bugs.
> 
> what do you think?

I guess that would work at least for the scenario you described above. An alternative 
would be to by default require that the User-Name matches exactly, but allow the 
server configuration to instead specify an external program/script to do the 
comparison. That way you can handle all kind of weird cases but it is up to the server 
administrator to specify the exact rules for equality.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 20 november 2002 14:51
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute? (to Artur and lars)

> so you want the rlm_eap_tls to check if eap_id = certified identity, 
> right? sounds very reasonable for me, but in some weird way, 
> Windows XP 
> gives the possibility to use a certificate and explicitely 
> type in some 
> name which has to be put in eap_identity then.

What wierd way are you refering to? Is it the "Use a different user name for the 
connection" check box you are talking about or something else?

> so we probably shouldn't verify that...

But if you don't verify that the User-Name (or EAP identity, if you have already 
verified that the User-Name and EAP identity is the same) corresponds to the 
certificate then any authorization or accounting is basically meaningless.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 

> James Xie wrote:
> > Hi, Can I say both of you premise that NAS(radius client) must set 
> > User-Name value to eap-id? I see in FreeRadius that the username to
> 
> i can't speak for Lars, but i would say yes, that's what is 
> dictated by the standard. the ap must set the User-Name to 
> eap-id since it is the first instance to create a Radius 
> packet. all packets before are NOT radius.

Promise that it "must" is a bit strong :-) However, I would say that a NAS that 
doesn't do this is broken.

> > used authorize is set to User-Name attibute value. If 
> User-Name value 
> > is null then eap-id is set to it. Now if NAS sends a packet to 
> > FreeRadius whose User-Name attibute is not same as eap-id, 
> then there 
> > will be a logic bug. So I beleive that it make sense to let rlm_eap 
> > module to check consistency between User-Name and eap-id.
> 
> i believe it, too. i just have some doubts in the situation 
> mentioned in my previous mail. i could be wrong, though :) 
> but you still should prove it.

Yes, but note that just adding this check will not close the hole we discussed 
previously since the rlm_eap_tls module currently doesn't seem to check the EAP 
identity.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute?

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 19 november 2002 20:27
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute?

> i only wanted to say, that the certified identity could be e.g. 
> [EMAIL PROTECTED] so, the eap-id would carry [EMAIL PROTECTED] each AP 
> should basically put this value into User-Name, so it would be 
> [EMAIL PROTECTED] again. We could verify that for both 
> authentication and 
> authorization the three fields are the same, certificate = eap-id = 
> User-Name.

Right. I don't think it is standardized how to check that the identity/user-name 
corresponds to the certificate, so one would probably just base the check on what Win 
XP does.
 
> now the server receiving the request from the AP happens to be in 
> visited.com. so it has to proxy the request to the home.com radius 
> server. it could happen, that home.com (being some huge ISP) 
> demands a 
> stripped user-name, i.e. simply kevin. so the server at visited.com 
> would strip it, but in the User-Name only, since the 
> EAP-Message is not 
> considered when proxying. Now home.com, when running 
> freeradius, would 
> state that the three attributes mentioned before are *not* 
> the same and 
> would reject, right? or did i misget your point?

I see your point, but I just don't think it makes sense to demand a stripped User-Name 
when using certificates for authentication.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute?

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 19 november 2002 18:49
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute?
> 
> 
> Lars,
> 
> in the IEEE Std 802.1X-2001 there is the following:
> 
> 
> D.3.1 User-Name
> In  IEEE  Std  802.1X-2001,  the  supplicant  typically  
> provides  its 
> identity  via  an  EAP-Response/Identity message. Where 
> available, the 
> supplicant identity is included in the User-Name attribute 
> and included 
> in the RADIUS Access-Request and Access-Reply messages as 
> specified in 
> IETF RFC 2865.
> Alternatively, where Service-Type = Call Check, the User-Name 
> attribute 
> contains the Calling-Station-ID value, which is set to the Supplicant 
> MAC address.

This is basically the same text as in the congdon ID.
 
> > I think the critical point is that the rlm_eap_tls module should 
> > verify that the User-Name, that is used for authorization, 
> corresponds 
> > to the client certificate used for authentication. It looks like it 
> > doesn't do this currently.
> 
> spontaneously, i would agree with that but we should 
> definitely verify 
> it for the case of proxying. Notably the stripping of realms could 
> provoke enormous problems here, don't you think? (since the realms 
> syntax is completely free, this includes every modification 
> of User-Name 
> whatsoever).

I'm not quite sure I understand what the problem is. I would say that the rlm_eap_tls 
module has to check that the User-Name/EAP-Identity corresponds to the client 
certificate (this is a SHOULD in RFC 2716). Otherwise there is little point in 
authorizing at all.

> additionally, the "Alternatively" part of the citation 
> above could 
> be a problem, too.

I don't really think it makes sense to use EAP-TLS with Service-Type = Call Check, so 
I'm not sure this is a problem.
 
> nothing to do with the topic, but since everybody is talking 
> about this 
> draft: after all it's still a draft, and perhaps it will 
> never become an 
> RFC, what do you think?
> 
> we have to follow the 802.1X norm. and also here i have some doubts 
> about the proxying.

I don't think there are any contradictions between Std 802.1X and the congdon ID.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute?

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 19 november 2002 16:37
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute?
> 
> 
> shouldn't those two be always set to the same? i can't 
> remember, but i think that i read something like this in the 
> "Usage of RADIUS with IEEE 802.1X" recommendations once...
> 
> try to take a look.
> 
> 
> James Xie wrote:
> > HI,
> > I am debuging EAP-TLS module. Who can tell me FreeRadius should use 
> > which value(eap_identity and username attribute of radius 
> packet) to 
> > authorize the supplicant? Now I am using rlm_sql module to 
> authorize 
> > the supplicant. Must I set username in database to eap_identity? If 
> > not, is there a safe hole? Thanks!

I think the critical point is that the rlm_eap_tls module should verify
that the User-Name, that is used for authorization, corresponds to the 
client certificate used for authentication. It looks like it doesn't do 
this currently.

The congdon ID specifies that the User-Name should be the EAP identity.
It would perhaps make sense to have the rlm_eap module verify that the 
User-Name matches the EAP identity also, although this isn't critical 
unless the rlm_eap_tls module matches the identity, rather than the 
User-Name, against the certificate.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS re-keying

[Lars Viklund]

On Thu, 2002-11-14 at 13:22, BUTTI Laurent FTRD/DTL/ISS wrote:
> My Orinoco AP-2000 seems to send 2 broadcast and 1 unicast WEP keys. 

ok. I don't really see the point in distributing more than one
broadcast key, but of course it nothing wrong with doing it.

> > Not quite. It will send (at least) two EAPOL-Key messages but the
> unicast 
> > one does not include the actual key. 
> 
> Ok. 
> Do you have any traces ? I would want to know how different EAPOL-Key
> frames are 
> different from 
> Orinoco and Cisco... 

I don't have the traces handy right now. I'll dig them out and send them
tomorrow.

> > > * I didn't tested re-keying on Cisco, but if Cisco use MPPE-Send-Key
> to 
> > > have data-link ciphering with WEP (truncating the MPPE-Send key); it
> is 
> > > necessary to have a full re-authentication if we want a real 
> > > "re-keying", am i wrong ? 
> > 
> > I think you're correct. One could think of other schemes that would
> handle 
> > this though, see this thread for instance: 
> >
> http://www.mail-archive.com/freeradius-users@;lists.cistron.nl/msg07532.h
> tml
>  html>  
> 
> So supplicants must support these different scheme, for migitating 
> interoperability issues. It is 
> probably the case for WindowsXP, what about Xsupplicant ? 

What I meant to say is that the problem _could_ be solved in other ways.
As far as I know the scheme discussed in the thread I referenced isn't
actually implemented by anyone.

> Moreover, firmware and drivers of WLAN cards should be critical for
> re-keying, as 
> 802.1X support 
> must be acheived, but not re-keying in my opinion (only i/o instructions
> to 
> change/delete/bind keys, but no management of 802.1X 
> state). Am i wrong ? 

You are right.

> > or 
> > 
> > Get the MPPE-{Send/Recv}-Keys generated by the RADIUS server, e.g. 
> > by having the rlm_eap_tls module log them. Capture the EAPOL-Key 
> > messages sent by the AP and decrypt the key fields to get the WEP 
> > keys. Capture data frames sent between the AP and the STA, decrypt 
> > them and verify the ICV (or verify that the MSDU is correct some 
> > other way). 
> 
> Ok. 
> 
> Validation of re-keying should work as follows : 
> - Decrypt MPPE-Send-key in RADIUS frames by using shared secret. 

Yes. Although it may be quicker to modify the rlm_eap_tls module to log
the keys it sends instead (just a couple of lines of code).

> - Find WEP keys : 
> - If Cisco : Truncate MPPE-Send-Key previously found to the WEP key
> lenght, 
> for Unicast WEP key. And decrypt EAPOL-Key {Broadcast}with
> MPPE-Send-Key, to find 
> WEP broadcast key. 
> - If Orinoco : Decrypt EAPOL-Key { Unicast | Broadcast } with
> MPPE-Send-Key. 

Or rather, if the Key field is present decrypt it to find the WEP key,
otherwise truncate the MS-MPPE-Send-Key to the correct length to get the
WEP key.

Also, if the Key field is present it is encrypted with the Key IV field
concatenated with the MS-MPPE-Recv-Key (not with the MS-MPPE-Send-Key).

> - Decrypt data link WEP-protected frames by using previously recovered
> keying 
> material. 

Yes.

> This should work with every Supplicant <=> Authenticator <=>
> Authentication 
> Server, without any trust of any entity. 

Yes.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CISCO LEAP

[Lars Viklund]

On Wed, 2002-11-13 at 16:06, Jeremy Salch wrote:
> On Wednesday 13 November 2002 06:52 pm, Mike Paneth wrote:
> > We are about to setup a wireless network based on CISCO 1200 APs and need
> > to control access.
> >
> > Does anyone know how to get Freeradius working with CISCO LEAP?
> 
>   It can't.

Not yet anyway.

> LEAP is a Cisco Proprietary EAP type to cisco..  

Yes.

> you'll have to shell out the cash for this one.  

I don't think that's necessarily true. Someone just have to write a
FreeRADIUS module for it. There are public descriptions of the protocol
(http://www.missl.cs.umd.edu/wireless/ethereal/leap.txt) and it doesn't
seem hard to implement.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-TLS re-keying

[Lars Viklund]

> From: BUTTI Laurent FTRD/DTL/ISS [mailto:laurent.butti@;rd.francetelecom.com] 
> Sent: den 13 november 2002 18:43
> To: [EMAIL PROTECTED]
> Subject: EAP-TLS re-keying

> I have an Orinoco AP-2000 (2.0.2) and a windows XP client SP1. 
> MPPE-{Send/Recv}-key seems to be successfully interpreted by the 
> AP-2000, as 3 EAPOL-Key frames are sent to the client. 

The access points we have tested seem to send two EAPOL-Key messages, 
one with the unicast key and one with a broadcast (default) key. 
What are key index fields in the three messages you see? Does the AP 
send two broadcast (default) keys with different indexes?

> So this scheme is 
> different than Cisco's scheme that seems to send only one EAPOL-Key 
> according to Lars Viklund. 

Not quite. It will send (at least) two EAPOL-Key messages but the unicast 
one does not include the actual key.

> Moreover, re-keying seems to work by configuring a short key lifetime on 
> AP-2000, every time t : 3 new EAPOL-Key frames are sent from AP-2000 to 
> WinXP client. 
> What i'm trying to do is : validating that the new WEP key sent by 
> AP-2000 using EAPOL-Key is really used. 
> I have several questions / remarks : 
> * Sending a new WEP key doesn't prove that it is really used on both 
>   client and access point sides. It should be dependent on both hardware 
>   (as WEP ciphering should be done in firmware WLAN card, so WLAN card 
>   drivers must support 802.1X) and software in Windows XP. 

True, although if your traffic is WEP encrypted and still gets through after 
the rekeying then either the new keys are used on both sides or not at all.

> * I didn't tested re-keying on Cisco, but if Cisco use MPPE-Send-Key to 
> have data-link ciphering with WEP (truncating the MPPE-Send key); it is 
> necessary to have a full re-authentication if we want a real 
> "re-keying", am i wrong ? 

I think you're correct. One could think of other schemes that would handle 
this though, see this thread for instance:
http://www.mail-archive.com/freeradius-users@;lists.cistron.nl/msg07532.html

> * Do you know any tip to validate that ? 
> - By using NDIS hooking ? 

Probably possible but I have no idea how.

> - By any debug mode on AP-2000 ? 

Since you obviously don't trust the AP-2000 to use the new keys after it has 
sent the new EAPOL-Key messages, would you trust debug output from it? :-)

> - Any other idea ? 

You could:

Test with xsupplicant instead of Win XP. That way you can easily
verify that the supplicant actually changes the keys when it receives 
the new EAPOL-Key messages.

or

Get the MPPE-{Send/Recv}-Keys generated by the RADIUS server, e.g.
by having the rlm_eap_tls module log them. Capture the EAPOL-Key 
messages sent by the AP and decrypt the key fields to get the WEP
keys. Capture data frames sent between the AP and the STA, decrypt
them and verify the ICV (or verify that the MSDU is correct some
other way). 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-TLS + ORINOCO AP-2000 + Dynamic WEP (Windows XP Supplican t)

[Lars Viklund]

> From: McKay, Raymond [mailto:RMcKay@;vugames.com] 
> Sent: den 28 oktober 2002 16:32
> To: '[EMAIL PROTECTED]'
> Subject: RE: EAP-TLS + ORINOCO AP-2000 + Dynamic WEP (Windows 
> XP Supplican t)

> I am using FreeRadius 0.7.1

For this to work you need our addition to the EAP-TLS module for generating and 
distributing keys. It is included in CVS but not in the 0.7.1 release.

--
Lars Viklund
Expert Software Engineer
Embedded Platforms
Axis Communications AB

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: question about EAP dynamic keys generation

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 

> On 2 Oct 2002, Lars Viklund wrote:
> > send the supplicant an EAPOL-Key message with an empty Key field, 
> > which means use the specified number of bits from the 
> MS-MPPE-Send-Key 
> > as the key-mapping key.
> >
> 
> cool, i didn't know the second possibility existed. where can 
> i see that? in the 1X standard?

Yes, it is specified in the 802.1X standard (section 7.6.7) as well as in the congdon 
ID (section 4).

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: question about EAP dynamic keys generation

[Lars Viklund]

On Wed, 2002-10-02 at 10:25, Pat Calhoun wrote:
> This is what I am trying to do, but XP doesn't seem happy. I suspect
> that as I mentioned above, I need to find the exact congdon draft that
> covers 802.1X expected behavior :(

It seems like section 4 in the congdon -20 draft just describes what
section 7.6 in IEEE Std 802.1X-2001 says in a little more detail, so
this should be the 802.1X behavior. Whether or not Win XP implements the
final version of 802.1X is another matter...



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: question about EAP dynamic keys generation

[Lars Viklund]

On Wed, 2002-10-02 at 09:24, Pat Calhoun wrote:
> > send the supplicant an EAPOL-Key message with an empty Key field, which
> > means use the specified number of bits from the MS-MPPE-Send-Key as the
> > key-mapping key.
> 
> check... unfortunately, this doesn't appear to work. 

Do you mean "not work" in the sense that Win XP doesn't accept such
EAPOL-Key messages that you send to it?

> However, I found
> going through the various revisions of the congdon draft that the
> signature has changed over time, and this may be what's biting me. I
> found that in -17 of the draft, the signature doesn't cover the EAPOL
> header, while -20 it does. I suspect what's going on is that they are
> trying to play catch up with the work in .1aa, but it would be really
> nice if there were a draft that showed how 802.1X worked :(
> 
> Any ideas how XP behaves?

No, but I seem to remember that the Cisco 340 sends EAPOL-Key with an
empty Key field (at least if 104-bit keys are used) and that this works
with Win XP, so it should be possible to figure out the details.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: question about EAP dynamic keys generation

[Lars Viklund]

On Wed, 2002-10-02 at 08:08, Pat Calhoun wrote:
> Does anyone have a clue how the AP selects the right key to use as the
> key-mapping-key? 

It can either:

invent a random key-mapping (unicast) key and send it to the supplicant
in an EAPOL-Key message signed with the MS-MPPE-Send-Key and encrypted
with the MS-MPPE-Recv-Key

or

send the supplicant an EAPOL-Key message with an empty Key field, which
means use the specified number of bits from the MS-MPPE-Send-Key as the
key-mapping key.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-TLS

[Lars Viklund]

> From: Nayak, Ramakrishna [mailto:[EMAIL PROTECTED]] 
> Sent: den 20 augusti 2002 17:43
> To: '[EMAIL PROTECTED]'
> Subject: EAP-TLS
> 
> 
> Hello,
> 
> In the EAP-TLS discussions, it was mentioned that there is a 
> patch for the generation of keying sent by Henrik ( 
>
http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg06926.html)
> 
> I cannot find that patch. Can someone please provide the link/patch?

Here it is:
http://lists.cistron.nl/archives/freeradius-users/2002/06/frm00485.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re: EAP/TLS with Windows XP cannot work

[Lars Viklund]

> From: Chung Yun Liang
> To: [EMAIL PROTECTED]
> Sent: 8/15/2002 4:24 AM
> Subject: Re: Re: EAP/TLS with Windows XP cannot work
>
> >are you sure that the certificates correspond to the 
> >certificates of the
> >server? 
> 
> Yes, because the certificates are downloaded from an example link (
> http://www.missl.cs.umd.edu/wireless/eaptls/keys/cert.tgz)
>   which is
> generated by OpenSSL. Then I copy the client certificate to install into
> Windows XP. 
>  
> But back to my question, the system didn't prompt me any certificate
> mismatch or error, it say that "Windows was unable to find a certificate
> to log you on to the network ..."

Have you checked that the certificates include the appropriate extended
key usage extension as Artur suggested? If they don't you will get exactly
this error.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: question about EAP danymic keys generation

[Lars Viklund]

 
> From: Artur Hecker
> To: Lars Viklund; [EMAIL PROTECTED]
> Cc: Raghu
> Sent: 8/2/2002 10:04 PM
> Subject: Re: question about EAP danymic keys generation

> Ok, thank you. Since you were participating in the patch developping:
> which algorithms do they use for key derivation, signing and encryption
> beginning from the TLS master key? (yes, i could look in the code).

The MPPE keys are derived by running the TLS pseudo-random function
(which is based on HMAC-MD5 and HMAC-SHA1) on the TLS master secret
with the client and server randoms as seed.

The key in the EAPOL-Key message is encrypted with RC4 and signed 
with HMAC-MD5.

> Well, I would do it exactly the other way round: I would rekey each time
> TLS rekeys... Except that the standard TLS rekey time is too long for
> rapid rekeying which should be done in the WEP case...
> 
> Actually, it would be possible to rekey with "my" way in almost the same
> manner: at some point of time the AP and the supplicant possess the same
> key material. The EAPOL-Key message would be just a trigger for rekeying
> (signed to prevent DOS).
> 
> The only point I don't like about the currently used scheme is, that
> there are keys which are sent over the air-interface although those
> could be derived independently. During for broadcast keys it's
> necessary, I don't really see why they do it in the unicast case. And
> additionally, the broadcast key doesn't have to be as secure as the
> unicast (in fact, supplicant doesn't have a trust relationship to other
> members of the BSS, only AP does). 

I can't see any reason why "your" way wouldn't work.

> Raghu supposed that in that manner
> they use exactly the same method for unicast and broadcast key; indeed,
> in "my" case there would be two variants. 

That could be one reason. 

> Lars, I actually have a problem with your patch which I applied to 0.6:
> it compiled correctly and i can see the MPPE keys in the access accept
> but the AP and the supplicant seem to be out of sync, i.e. I can't
> transmit any data. Could you help me? What points should I check? (i use
> XP with cisco ap340).

I suggest that you first sniff the wireless traffic and check if the AP
sends any EAPOL-Key messages to the supplicant. 

We haven't actually tested the patch with a Cisco AP but we could
try to do that.

> Lars or somebody: do you know how to sniff on the air interface using
> the cisco 340 adapter under XP?

Sorry, we use PRISM based cards and Ethereal on Linux for sniffing.
The advantage with this setup is that it can capture 802.11 control
and management frames as well as data frames. For this scenario that
shouldn't be needed though.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: question about EAP danymic keys generation

[Lars Viklund]

 
> From: Artur Hecker
> To: [EMAIL PROTECTED]
> Cc: Raghu
> Sent: 8/2/2002 5:46 PM
> Subject: Re: question about EAP danymic keys generation

> Raghu, Henrik: please correct/complete my input.

I'm not Raghu or Henrik, but your description is correct.

One minor detail you didn't include is that the supplicant and
authentication
server derives two (256-bit) keys. One is used to encrypt the key field in
the
EAPOL-Key message and the other is used to sign it.

> Personal remark: i said it doesn't matter much, because in my opinion
> there are better ways to do that. i would probably never send any
> unicast keys to the supplicant since it can produce them on his own, but
> ok, it seems to work in this way for whatever reason.

I guess that one advantage with doing it this way is that it is possible
to rekey (update the WEP keys) without redoing the TLS authentication.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP documentation

[Lars Viklund]

On Fri, 2002-07-12 at 19:02, Henrik Eriksson wrote:
> I think I confused you a bit regarding the broadcast key.
> The broadcast key needs to be sent to the supplicant both
> if it is individual to that STA or if it is common to all
> STAs in the BSS (which I think it always is). A better
> description of step two could be:

The "broadcast key" is the (manually configured) default WEP key.

> >(Broadcast/default key is the same for all 
> > stations within a broadcast domain.If this is 

It is always the same within a BSS (which isn't necessarily equivalent
with a broadcast domain).

> > not the case then AP generates even Broadcast key

No.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Can't get EAP/TLS module to load

[Lars Viklund]

> From: Raghu [mailto:[EMAIL PROTECTED]] 

> Michael Murphy wrote:
> > 
> > Hello.
> > 
> > I am trying to get EAP/TLS running with FreeRadius using 
> Ken Roser's great Howto.  My problem is that, when I start 
> radiusd -X, the following is at the end of the output:

> Try,
> ldd /path/rlm_eap_tls.so

I had to add -lcrypto to RLM_LIBS in the rlm_eap_tls Makefile.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html