Re: Advices needed
WEP with static keys is insecure. TTLS PEAP include ways of rotating the keys before the data can be decrypted. It's not a problem. Yep. I guess I wasn't clear. Sorry for my english by the way. The thing is, WEP cannot be used in my case, since the WEP key is shared among users at a given moment, which means any user can decipher data sent or received by any other user. My users cannot trust each other, that's the reason I'm in need of a tunnel. Can I send tunnel information using EAP-TTLS or is it only for sending WEP keys ? Xsupplicant supports PEAP version 0, and TTLS. It works under Linux, but not necessarily other Unixes. That's great, thanks. -- Alain Perry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advices needed
Le sam 26/06/2004 à 15:52, Michael Griego a écrit : Depending on your access points, this is not true. If you're using Cisco APs, for instance, you have per-user WEP keys generated so that each user can only decrypt his traffic. Any AP that claims WPA compliance should issue per-user keys, even if only legacy 802.1x (without the WPA enhancements) is used. Well, the configuration must be able to operate with APs from different manufacturers, some not being able to use WPA (really old). I didn't know all of this though, so thank you for this information. -- Alain Perry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advices needed
Which is why EAP-TLS, EAP-TTLS, and PEAP all provide per-user WEP keys. Yep, got that. But as I said in one of my previous mails, that is not really possible in my case. EAP methods do authentication, and *nothing* else. Even the WEP key sending is a hack on top of that, that the AP interprets, and the supplicant never sees. Okay. I guess I'll have to find another solution then. Thanks for your help. -- Alain Perry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no detailed log in eap/tls
Le ven 25/06/2004 à 13:52, [EMAIL PROTECTED] a écrit : Hello, I'm doing test with eap-tls beetween a WinXP Client and a Linux server. When I type 'radiusd -X -A' everything seems to be ok, and the client receives an EAP-Success. I have uncommented in radiusd.conf all the istructions about 'logging' but I have not a detailed log of all accounting records received and of authentication requests in the radacctdir=${logdir}/radacct I need some help ,thanks Does launching freeradius executable with the -x switch not help ? -- Alain Perry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_ttls and eap_peap linking problem SOLVED
thoughts/comments as to advantages/disadvantages of enabling/disabling shared libs? I'm probably not the best here to answer that, but my first guess would be with security issues. If openssl is updated by your package management system because of a security hole or anything, you will have to recompile freeradius against it to be safe. The second one would the code size: if you have another piece of software using openssl, for example apache, openssl will be loaded twice into memory. That's the two main ones I can think of, but hey, if that's the only way to make freeradius work for you, it might be worth it :-) -- Alain Perry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advices needed
Le jeu 24/06/2004 à 19:06, Alan DeKok a écrit : Use EAP-TLS, EAP-TTLS, or EAP-PEAP. Yep, that's what I finaly planned. Then EAP-TLS is probably not worth it. Okay, so, that only leaves me with EAP-TTLS and EAP-PEAP That's not how wireless works. It sets up an encryption key used to encryprt the wireless traffic, but there's no IPSec involved. Yep, the problem is that the encryption is WEP isn't it ? I don't really mind that WEP is easy to break, since I could change the key often enough, but the problem is that each user cannot trust each other in my case. So WEP is definitely not the way to go. I think I need a tunnel, might be PPTP, but I'm not fond of MPPE. Is there any other safe encryption method for PPTP ? Or any other tunneling protocol I could use seamlessly enough for windows users not to worry too much about it (for *nix users I can easily script the stuff anyway...) ? See http://www.freeradius.org/doc/ for some how-to's. Okay, should have checked that, I'm going for it. TTLS or PEAP. Free clients exist for both for Windows Unix. I've read everywhere that PEAP was a Windows only thing. Were all the webpages saying that outdated ? Is Xsupplicant the client supporting TTLS under *nix ? Thanks for your help. -- Alain Perry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius access-reject
Le jeu 24/06/2004 à 08:08, TANGUY ERIC a écrit : In which file i must do the modifications, and which modifications Hum, as I said, you need to modify the LDAP entry for your user... That means not modifying a file, but adding a dialupAccess attribute to your user LDAP profile. Of course, the RADIUS_LDAPv3 schema must be imported on your LDAP server. The dialupAccess attribute should then be set to true, but anything except false should do. -- Alain Perry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius access-reject
I don't know everything (far from that unfortunately) about FreeRADIUS, but what's the point in using a user file if your user database is in a LDAP directory (this is a real question, I'm probably just missing something here) ? About your new problem, I'm sorry, but I haven't used CHAP yet (and I'm not planning to) so I can't really help you with that)... -- Alain Perry signature.asc Description: This is a digitally signed message part
Advices needed
Hi list, I'm sorry if this message is somehow lame, but I need to get some more understanding of the different options offered by FreeRADIUS and the standards to decide how to use it. I want users to be able to authenticate over an insecure link (wireless for example) and then to be able to use that link with maximum privacy. My users profiles are stored in an LDAP directory. I would like to use EAP-TLS as it is supported in most OSs to exchange data with the user about the establishment of an IPsec tunnel (using AH in tunneling mode). Is that possible ? I believe I read something about LDAP and EAP-TLS being incompatible and I couldn't find anything about using EAP-TLS for anything but PPP. Do you have any pointers to any documentation which would help me understand EAP-TLS and EAP-TTLS better ? Would you advise another way of authenticating users and establishing the tunnel ? Thanks for your answers, -- Alain Perry signature.asc Description: This is a digitally signed message part
FreeRadius using PGP to authenticate users
(Moderators: sorry I first sent this email with the wrong email address) Hi list, I'm curious about the possibility to use PGP keys to authenticate users via a challenge. I'm using an LDAP database to store my users information, and this is working great with a simple login/password scheme for the moment. However, I would really like to be able to authenticate them using a random string which would be encrypted using their public key, and they would just have to decipher it and they send back the string. I'm barely understanding if EAP could help on that (all documentation I find is evasive about EAP when not related to 802.1x)... Could any of you tell me if this would be possible with FreeRADIUS as it is now ? Would I have to modify its code ? Would EAP really help ? Thanks in advance for your answers, and please excuse my question if it is stupid, I'm totally new to RADIUS (I read Jonathan Hassel book, but it doesn't help on that particular subject). -- Alain Perry signature.asc Description: This is a digitally signed message part
Re: FreeRadius using PGP to authenticate users
What software exists on the client side to do this? If the answer is none, there isn't much point in doing it. The answer is none, but I'm planning on writing it... EAP started off as part of PPP. It's used elsewhere now. That I understood. To do this, you could use EAP-GTC, but few clients implement it as-is. It's usually part of EAP-TTLS or PEAP. The only radius software I'm going to use is freeRADIUS and the one I'll write, so if FreeRADIUS does it, that's good enough for me :-) If you're doing wireless, use EAP. If not, don't. Well, I'm doing wireless, but I'd like not to use a login/password scheme. FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Is this feasable as a module, or do I have to actually modify FreeRADIUS code to do it ? Thank you for your answers, -- Alain Perry signature.asc Description: This is a digitally signed message part