RE: TLS and TTLS
> From: "Nixon, Anthony S." <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: RE: TLS and TTLS > Date: Tue, 30 Sep 2003 14:33:08 -0400 > Reply-To: [EMAIL PROTECTED] > > Gentlemen - thanks for the slap on the forehead and the healthy discussion. > I have made the move to a Proxim ORiNOCO AP-2000 w/ 11bg card. Although a > little pricier than the other APs, it works - and well I might add. I am > able to use WEP (and WPA-TKIP) with either dynamic or static keys and best > of all - TTLS works like a charm. Thanks again. I recommend them highly, > especially with the security features built in to the newest firmware > release. > > -- Shon Hi everybody. Very interesting disucussion of APs and the implementation of EAP. I've done some research regarding my future WLAN implementation and I'm very happy that FreeRadius is supporting TTLS! I'm planning to use ZyXel's ZyAIR B-1000v2 APs since they are very affordable and appears to support EAP - but with the previous discussion on the implemantation of EAP in mind I would like to know if anyone has tried using this AP with FreeRadius and TTLS? This is a snip from the user's manual: "The type of authentication yoiu use depends on the RADIUS server or the AP. The ZyAIR supports EAP-TLS, EAP-TTLS and PEAP with RADIUS." Maybe it could be usefull to existing and future users of FreeRadius if a list of APs supporting the various kinds of authentication could be found somewhere? Best regards Kim Kjeldager Sørensen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Gentlemen - thanks for the slap on the forehead and the healthy discussion. I have made the move to a Proxim ORiNOCO AP-2000 w/ 11bg card. Although a little pricier than the other APs, it works - and well I might add. I am able to use WEP (and WPA-TKIP) with either dynamic or static keys and best of all - TTLS works like a charm. Thanks again. I recommend them highly, especially with the security features built in to the newest firmware release. -- Shon -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 10:51 AM To: [EMAIL PROTECTED] Subject: Re: TLS and TTLS Michael Brown <[EMAIL PROTECTED]> wrote: > I agree with you in principle, that is how things should be; but we all know > that how things SHOULD WORK is not often how they really do. The RFC's explain how to make the AP work with *all* EAP types. If your AP doesn't do that, I suggest talking to hem, and telling them it's broken. e.g. the Intel AP discussed recently on this list, which expected certain attributes to be in a particular order, for no reason whatsoever. Yet, when customers complain about such stupidities, the vendor almost always responds with a polite version of "f*ck off". To me, this is yet another reason for using open source software: You can FIX IT when something goes wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
Michael Brown <[EMAIL PROTECTED]> wrote: > I agree with you in principle, that is how things should be; but we all know > that how things SHOULD WORK is not often how they really do. The RFC's explain how to make the AP work with *all* EAP types. If your AP doesn't do that, I suggest talking to hem, and telling them it's broken. e.g. the Intel AP discussed recently on this list, which expected certain attributes to be in a particular order, for no reason whatsoever. Yet, when customers complain about such stupidities, the vendor almost always responds with a polite version of "f*ck off". To me, this is yet another reason for using open source software: You can FIX IT when something goes wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
Like I said, try to make it (TTLS) work with a D-link. I know the conventional wisdom that a particular should support all EAP types if it supports one, but in the real world, that is flat out wrong. Because manufacturers do stupid things to their AP's does not mean my understanding is limited, lol. I understand full well the EAP protocol, but I am not a manufacturer who seeks to 'limit' features (such as the 3Com that only supports EAP-MD5, or D-link, for that matter). Have you used these AP's and tried to make it work beyond the functionality they advertise?? I have. Vendors do dumb things, that is the way of the world. So I agree with you in principle, that is how things should be; but we all know that how things SHOULD WORK is not often how they really do. Quoting Artur Hecker <[EMAIL PROTECTED]>: > > *?* > > > Michael Brown wrote: > > >>sorry, that's still wrong. they either support EAP or not. it is > >>completely irrelevant which kind of EAP. be it TLS, MD5, TTLS, PEAP or > >>whichever EAP scheme might EVER come out one day in the future, they > >>support it already. nice, he? > > > > My point is EAP pass-through not the type! (So we agree but you do not > see...) > > Such nitpicking. I did not mention md5 because it is IRRELEVANT to me! > > NOT ALL AP's PROVIDE EAP PASS-THROUGH FOR AUTH. > > That was my point. > > once again: we do not agree, i.e. what you say is wrong. > > you say: your AP supports EAP/TLS but it doesn't support some other EAP > type. so, the first half of your presumption obliges the support of > 802.1X in the AP and the second relies uniquely on the usage of 802.1X > in the AP. this is obviously a contradiction. > > it's not the question of type at all, it's the question of EAP support > in the AP (which you call "EAP pass through") which is ALWAYS general > i.e. type-independent and which is called 802.1X. > > conclusion: if your AP supports EAP/TLS, it also supports ALL other EAP > types which exist and which will EVER come out in the future. that's > what i say, not more and not less. > > now, if your AP doesn't support 802.1X, it does not support ANY EAP > type, not EAP/TLS and not any other. ok? it isn't nitpicking, since you > don't understand that by concept&design all the EAP types are the same > for the AP. > > > ciao > artur > > > ps thanks for the proposition but i personally don't need any DLink+ > Access Points :-) > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Michael Brown <> mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hi Shon i took a look at your log. for what concerns the server, your TTLS is working correctly and you are getting the Access-Accept sent out to the client. you even have accounting coming up for your TTLS user. modcall: group authenticate returns handled TTLS: Got tunneled reply RADIUS code 2 EAP-Message = 0x03010004 Message-Authenticator = 0x User-Name = "" TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler TTLS: Freeing handler for user barney modcall[authenticate]: module "eap" returns handled modcall: group authenticate returns handled Sending Access-Accept of id 17 to xxx.xxx.xxx.xxx:1204 MS-MPPE-Recv-Key = 0xdc375f3020c56c6d8486b0925a07e931c7a1dd27585d5f481dc614455c714de0 MS-MPPE-Send-Key = 0x8aa9578d6cec57fb0c5b9ceec8bbbf449309dc2961107c66751fa715f1c75c8b EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = "anonymous" Finished request 16 so you can see that your server sends the Accept. you even have accounting, that is the ports on the AP are open. rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:1205, id=18, length=86 Acct-Status-Type = Start User-Name = "anonymous" Acct-Session-Id = "000181890002" NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 Acct-Authentic = RADIUS NAS-Identifier = "xxx" Acct-Delay-Time = 0 Conclusion: if you encounter problems with your TTLS users, it has nothing to do with the server (server sends Accept) and probably not even of your AP (since it provides Accounting infos, thus it should think that the session is open for the user). Perhaps you have some problems at your client. i can't see it out of the provided log. ciao artur Nixon, Anthony S. wrote: Sorry for the out of list email, but I did not want others to see some of the info in the logs. It can be found at: x Please let me know what you think. -- Shon -Original Message- From: Artur Hecker i personally think that the problem is the client-server interaction. something is wrong and your client is not responding and you don't know why, so you suppose it's the AP but it's not. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
*?* Michael Brown wrote: sorry, that's still wrong. they either support EAP or not. it is completely irrelevant which kind of EAP. be it TLS, MD5, TTLS, PEAP or whichever EAP scheme might EVER come out one day in the future, they support it already. nice, he? My point is EAP pass-through not the type! (So we agree but you do not see...) Such nitpicking. I did not mention md5 because it is IRRELEVANT to me! NOT ALL AP's PROVIDE EAP PASS-THROUGH FOR AUTH. That was my point. once again: we do not agree, i.e. what you say is wrong. you say: your AP supports EAP/TLS but it doesn't support some other EAP type. so, the first half of your presumption obliges the support of 802.1X in the AP and the second relies uniquely on the usage of 802.1X in the AP. this is obviously a contradiction. it's not the question of type at all, it's the question of EAP support in the AP (which you call "EAP pass through") which is ALWAYS general i.e. type-independent and which is called 802.1X. conclusion: if your AP supports EAP/TLS, it also supports ALL other EAP types which exist and which will EVER come out in the future. that's what i say, not more and not less. now, if your AP doesn't support 802.1X, it does not support ANY EAP type, not EAP/TLS and not any other. ok? it isn't nitpicking, since you don't understand that by concept&design all the EAP types are the same for the AP. ciao artur ps thanks for the proposition but i personally don't need any DLink+ Access Points :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
Buy yourself a D-Link 900AP+ and see if it does TTLS. Just a thought. MB <> mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
Quoting Artur Hecker <[EMAIL PROTECTED]>: > sorry, that's still wrong. they either support EAP or not. it is > completely irrelevant which kind of EAP. be it TLS, MD5, TTLS, PEAP or > whichever EAP scheme might EVER come out one day in the future, they > support it already. nice, he? > My point is EAP pass-through not the type! (So we agree but you do not see...) Such nitpicking. I did not mention md5 because it is IRRELEVANT to me! NOT ALL AP's PROVIDE EAP PASS-THROUGH FOR AUTH. That was my point. Michael Brown. <> mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hi i don't think it's correct unless you have some dumb option to explicitly block TTLS. you should post some server logs in order to prove that nothing is coming. let me explain myself: in _EACH_ EAP method the first packet incoming at the RADIUS server will be either EAPOL Start OR EAP Response/Identity message. i want to see a log file, where the Response/Identity of the TLS is arriving and the response identity of the TTLS is not - knowing that the both packets are exactly the same. i don't see, why the following packets wouldn't be forwarded to the server. prove it. i personally think that the problem is the client-server interaction. something is wrong and your client is not responding and you don't know why, so you suppose it's the AP but it's not. ciao artur Nixon, Anthony S. wrote: Thanks very much for the education on AP's, but this still does not answer the question of why an AP will pass EAP-MD5 and EAP-TLS, but might not pass EAP-TTLS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
"Nixon, Anthony S." <[EMAIL PROTECTED]> wrote: ... Please don't top post. It's annoying. e.g. A: Because it sucks. Q: Why is top posting bad? Posting things in order is nice, as in: > > Funk may not implement TTLS correctly... > > Umm, forgive me, but I thought they wrote the spec? Yes. So? Search the net for TTLS. You'll discover that the spec says one thing, and that Funk has implemented something slightly different, for part of the TTLS protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Umm 802.1X was designed by meetinghouse www.mtghouse.com for incorporation with HP for their Procurve line of products. Funk Software co-invented EAP-TTLS with Certicom. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nixon, Anthony S. Sent: Monday, September 29, 2003 9:35 AM To: '[EMAIL PROTECTED]' Subject: RE: TLS and TTLS Umm, forgive me, but I thought they wrote the spec? -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 6:33 AM To: [EMAIL PROTECTED] Subject: Re: TLS and TTLS "Nixon, Anthony S." <[EMAIL PROTECTED]> wrote: > When I switch it over to authenticate with TTLS, I get a "Failure - > Authentication rejected by server" on the Funk 2.22 client. Funk may not implement TTLS correctly... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Thanks very much for the education on AP's, but this still does not answer the question of why an AP will pass EAP-MD5 and EAP-TLS, but might not pass EAP-TTLS? This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Umm, forgive me, but I thought they wrote the spec? -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 6:33 AM To: [EMAIL PROTECTED] Subject: Re: TLS and TTLS "Nixon, Anthony S." <[EMAIL PROTECTED]> wrote: > When I switch it over to authenticate with TTLS, I get a "Failure - > Authentication rejected by server" on the Funk 2.22 client. Funk may not implement TTLS correctly... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hi Of course they do: whether they SUPPORT (act as a pass-through device for) these auth schemes or not. sorry, that's still wrong. they either support EAP or not. it is completely irrelevant which kind of EAP. be it TLS, MD5, TTLS, PEAP or whichever EAP scheme might EVER come out one day in the future, they support it already. nice, he? I KNOW they have nothing to do with the actual auth beside that fact, but you can't use EAP-TLS or TTLS with just any old AP, now can you? of course you can, as long as it supports 802.1X. Such nitpicking. no, sorry. you've just never understood why EAP has been developped. so, you suggest that the problem could be a 802.1X aware AP which is - in your opinion - the problem for TTLS not passing through. that's _completely_ wrong, so the guy having problem has been put on the wrong way, i've only corrected this mistake, be it important or not. ciao artur hardly ever. the APs have NOTHING to do with neither TTLS nor TLS. ciao artur Michael Brown wrote: I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link product that does TTLS. That is most likely your problem. Michael Brown - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
Michael Brown <[EMAIL PROTECTED]> wrote: > Of course they do: whether they SUPPORT (act as a pass-through device for) these > auth schemes or not. > I KNOW they have nothing to do with the actual auth beside that fact, but you > can't use EAP-TLS or TTLS with just any old AP, now can you? I don't see why not. RFC 2869 describes the way the AP handles the EAP <-> RADIUS conversation. It explicitely states that the system is designed so that the AP *never* has to look at the EAP packets. It just blindly copies them back & forth, until it sees a RADIUS Access-Reject, or Access-Accept. It then looks at the RADIUS attributes to determine what to do with the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
Of course they do: whether they SUPPORT (act as a pass-through device for) these auth schemes or not. I KNOW they have nothing to do with the actual auth beside that fact, but you can't use EAP-TLS or TTLS with just any old AP, now can you? Such nitpicking. Quoting Artur Hecker <[EMAIL PROTECTED]>: > hardly ever. > > the APs have NOTHING to do with neither TTLS nor TLS. > > > ciao > artur > > > Michael Brown wrote: > > > I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link > > product that does TTLS. That is most likely your problem. > > > > Michael Brown > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Michael Brown <> mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hardly ever. the APs have NOTHING to do with neither TTLS nor TLS. ciao artur Michael Brown wrote: I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link product that does TTLS. That is most likely your problem. Michael Brown - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link product that does TTLS. That is most likely your problem. Michael Brown <> mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
"Nixon, Anthony S." <[EMAIL PROTECTED]> wrote: > When I switch it over to authenticate with TTLS, I get a "Failure - > Authentication rejected by server" on the Funk 2.22 client. Funk may not implement TTLS correctly... > I have ran the server in debug mode and captured the logging info of > both TLS and TTLS sessions to separate text files. The main > question here is exactly what do I look for that would possibly > point to a failure? Error messages may be there, but may also be confusing. SSL isn't very descriptive with its errors. > I see the tunnel is created and then the negotiation starts fine > after that using TTLS. Could I get some possible reasons for > failure of TTLS verses TLS success? Put the logs on a web page somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS and TTLS
I have implemented TLS and TTLS on the latest snapshot of FreeRADIUS. When authenticating with TLS on a D-Link DWL-2000AP, I have no problems. Works great! When I switch it over to authenticate with TTLS, I get a "Failure - Authentication rejected by server" on the Funk 2.22 client. I did get TTLS authentication working with a Linksys WAP54G. I have ran the server in debug mode and captured the logging info of both TLS and TTLS sessions to separate text files. The main question here is exactly what do I look for that would possibly point to a failure? I see the tunnel is created and then the negotiation starts fine after that using TTLS. Could I get some possible reasons for failure of TTLS verses TLS success? Thanks - Shon Nixon This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
