Re: EAP-TLS and WEP key generation
I don't know. That does have me concerned about my test AP... On May 25, 2004, at 6:56 AM, Chris Bshaw wrote: Hi Bob. I **think** I might have it working now. I just added to the original config the following lines: encryption vlan 90 key 1 size 128bit 7 CE78330C1A841439656A9323F25A transmit-key encryption vlan 90 mode ciphers wep128 I read thru some examples on the cisco website (mostly for LEAP rather than EAP) and they mentioned creating an initial broadcast key. Now I can connect my client PC, and all the traffic in kismet appears encrypted. If I open a kismet dump in ethereal, it also appears encryped and all I see is MAC addressesno IP addressesis this what I should see if I have not decrypted the traffic? I know I am being pedantic, but if I initialise the broadcast key as above, and then use broadcast key rotation, (which I am) am I correct in saying that this means that once the broadcast key rotation time limit is reached a new broadcast key is generated which is different from the initial one? If so, I presume this means that when the unit is switched on, it will always have the same initial key(i.e. it doesn't in some way remember the last one used?)? Thanx for all your help. Chris. From: Bob McCormick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Mon, 24 May 2004 14:25:31 -0600 I honestly don't know, but I'd love to find out. Three things I can think of to try... 1) You should be able to specify a vlan for your cypher suite, something like this " encryption vlan mode 90 mode ciphers wep128" You might see if that makes any difference 2) You could try using "encryption mode web mandatory" instead of ciphers. 3) You could try upgrading to the latest IOS version for your AP, and/or open a TAC case. On May 24, 2004, at 1:55 PM, Chris Bshaw wrote: Hi Bob Config attached. Also, I should mention the config of the client. I am using a NetGear WG511 802.11g card. I don't have any security features enabled on the utility which comes with the WG511 (no WEP, WPA etc) and there are no options for EAP on this utility. I enabled all the EAP stuff via the Authentication tab on the Properties of the interface under Start -> Network and Dialup connections in Windoze. Under there I have the following set: Enable network control using IEEE 802.1x EAP Type: Smart Card or other Certificate Use a certificate on this computer and I select the certificate generated on my freeradius server. This is more or less what is described under http://www.freeradius.org/doc/EAPTLS.pdf. There is a method in this doc for debugging EAP on the Cisco AP, which I had not noticed before.I'll try this tomorrow. Finally, just in case you might not remember from my previous emails, I was (and I think still am) able to see EAPOL packets on my wireless client when I ran ethereal on the wireless interface. Thanx in advance for your help. Chris. _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Hi Bob. I **think** I might have it working now. I just added to the original config the following lines: encryption vlan 90 key 1 size 128bit 7 CE78330C1A841439656A9323F25A transmit-key encryption vlan 90 mode ciphers wep128 I read thru some examples on the cisco website (mostly for LEAP rather than EAP) and they mentioned creating an initial broadcast key. Now I can connect my client PC, and all the traffic in kismet appears encrypted. If I open a kismet dump in ethereal, it also appears encryped and all I see is MAC addressesno IP addressesis this what I should see if I have not decrypted the traffic? I know I am being pedantic, but if I initialise the broadcast key as above, and then use broadcast key rotation, (which I am) am I correct in saying that this means that once the broadcast key rotation time limit is reached a new broadcast key is generated which is different from the initial one? If so, I presume this means that when the unit is switched on, it will always have the same initial key(i.e. it doesn't in some way remember the last one used?)? Thanx for all your help. Chris. From: Bob McCormick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Mon, 24 May 2004 14:25:31 -0600 I honestly don't know, but I'd love to find out. Three things I can think of to try... 1) You should be able to specify a vlan for your cypher suite, something like this " encryption vlan mode 90 mode ciphers wep128" You might see if that makes any difference 2) You could try using "encryption mode web mandatory" instead of ciphers. 3) You could try upgrading to the latest IOS version for your AP, and/or open a TAC case. On May 24, 2004, at 1:55 PM, Chris Bshaw wrote: Hi Bob Config attached. Also, I should mention the config of the client. I am using a NetGear WG511 802.11g card. I don't have any security features enabled on the utility which comes with the WG511 (no WEP, WPA etc) and there are no options for EAP on this utility. I enabled all the EAP stuff via the Authentication tab on the Properties of the interface under Start -> Network and Dialup connections in Windoze. Under there I have the following set: Enable network control using IEEE 802.1x EAP Type: Smart Card or other Certificate Use a certificate on this computer and I select the certificate generated on my freeradius server. This is more or less what is described under http://www.freeradius.org/doc/EAPTLS.pdf. There is a method in this doc for debugging EAP on the Cisco AP, which I had not noticed before.I'll try this tomorrow. Finally, just in case you might not remember from my previous emails, I was (and I think still am) able to see EAPOL packets on my wireless client when I ran ethereal on the wireless interface. Thanx in advance for your help. Chris. _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
I honestly don't know, but I'd love to find out. Three things I can think of to try... 1) You should be able to specify a vlan for your cypher suite, something like this " encryption vlan mode 90 mode ciphers wep128" You might see if that makes any difference 2) You could try using "encryption mode web mandatory" instead of ciphers. 3) You could try upgrading to the latest IOS version for your AP, and/or open a TAC case. On May 24, 2004, at 1:55 PM, Chris Bshaw wrote: Hi Bob Config attached. Also, I should mention the config of the client. I am using a NetGear WG511 802.11g card. I don't have any security features enabled on the utility which comes with the WG511 (no WEP, WPA etc) and there are no options for EAP on this utility. I enabled all the EAP stuff via the Authentication tab on the Properties of the interface under Start -> Network and Dialup connections in Windoze. Under there I have the following set: Enable network control using IEEE 802.1x EAP Type: Smart Card or other Certificate Use a certificate on this computer and I select the certificate generated on my freeradius server. This is more or less what is described under http://www.freeradius.org/doc/EAPTLS.pdf. There is a method in this doc for debugging EAP on the Cisco AP, which I had not noticed before.I'll try this tomorrow. Finally, just in case you might not remember from my previous emails, I was (and I think still am) able to see EAPOL packets on my wireless client when I ran ethereal on the wireless interface. Thanx in advance for your help. Chris. _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Hi Bob Config attached. Also, I should mention the config of the client. I am using a NetGear WG511 802.11g card. I don't have any security features enabled on the utility which comes with the WG511 (no WEP, WPA etc) and there are no options for EAP on this utility. I enabled all the EAP stuff via the Authentication tab on the Properties of the interface under Start -> Network and Dialup connections in Windoze. Under there I have the following set: Enable network control using IEEE 802.1x EAP Type: Smart Card or other Certificate Use a certificate on this computer and I select the certificate generated on my freeradius server. This is more or less what is described under http://www.freeradius.org/doc/EAPTLS.pdf. There is a method in this doc for debugging EAP on the Cisco AP, which I had not noticed before.I'll try this tomorrow. Finally, just in case you might not remember from my previous emails, I was (and I think still am) able to see EAPOL packets on my wireless client when I ran ethereal on the wireless interface. Thanx in advance for your help. Chris. _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail ap-confg Description: Binary data
Re: EAP-TLS and WEP key generation
Could you post the config from your AP? On May 24, 2004, at 10:44 AM, Chris Bshaw wrote: Hi Bob You might remember from my previous postings that I was connecting via wireless connection using EAP-TLS via a Cisco 1200 AP and a freeradius server, but my connections weren't appearing as WEP encrypted. As per your suggestion, I downloaded kismet (I don't have a Mac) and have it running on my linux laptop as my sniffer..I have not joined this machine to the network, so it is just passively capturing wireless data. I then got another Win2K laptop and connected it to our network using EAP/TLS via the Cisco 1200 and a freeradius server. It all works as before.the client laptop connects OK and the radiusd logging shows MS-MPPE stuff which I believe indicates that WEP keys are being generated. However, kismet does not show the traffic as encrypted.. Also, if I open the dump formatted file that kismet generates using ethereal I can see the data inside packets..eg: the echo's from a telnet session are readable in ASCIIno WEP key required to decode, and besides, my sniffer doesn't know the key to decode. Either it is possible to have EAP-TLS without WEP, or I have badly missed something in my configuration.probably the latter. I would be most grateful for any help in unravelling this... Thanx in advance Chris. From: Bob McCormick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Thu, 20 May 2004 10:52:14 -0600 On May 20, 2004, at 10:08 AM, Chris Bshaw wrote: Hi Thanx to everyone who has replied so farvery helpful. A few more questions. Bob.I tried your settings below. My client does connect and I can see the EAP-TLS exchange via the radiusd debugging info. I also see MS-MPPE-Recv-Key and MS-MPPE-Send-Key in the debug output, and in ethereal on the client I see the EAPOL packets. However. 1. Again, both ends say security = none (or Encryption = off) On the AP, what command are you running that says there is no encryption? 2. A show logging on the AP has a line like this when a client machine associates with it: *Mar 3 01:26:04.607: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0009.5b65.d55c Associated KEY_MGMT[NONE] .is KEY_MGMT[NONE] relevant here? Do you have TKIP or CKIP enabled in your config? The config I sent you does not. It's possible the log message is talking about TKIP key management? I'm not certain. 3. I thought guest-mode meant that anyone could connect without EAP (or WEP)am I wrong on this? You are completely wrong. :-) A Cisco AP can support multiple SSID's, but only one SSID can be broadcast in the beacon. The SSID that is in "Guest mode" is the one being beaconed. You can also have no guest mode SSID's at all, and then no SSID will be included in your AP's beacons. (but it *will* still beacon). 4. I set the dynamic rekeying interval to 120 seconds (instead of 600 seconds as you have below).however, after the first successful connection, I never see any transaction on the radiusd server.you mention I should configure the AP to honor the Session-Timeout from the radius server.should I also set Session-Timeout = 120 on the freeradius server and if so where? (eg: in the raddb/attrs file?)... When you're using 802.1x authentication, there are actually 2 wep keys involved. One is the per-user key assigned by the radius server. It's used to encrypt unicast traffic. Then there is a broadcast key used to encrypt broadcast and multicast traffic. That key is shared by all clients that are associated to the AP. The statement "broadcast-key change 600", causes a Cisco AP to change the broadcast WEP key every 600 seconds and distribute the new key to all associated clients. The Session-Timeout causes the AP to disassociate the client from the AP. When client will attempt to automatically re-associate. When it does, the radius server will give the client a new unicast WEP key.So yes, in addition to telling the AP to honor the Session-Timeout, you will need to tell Freeradius to send a Session-Timeout. It looks like this: (in your Freeradius users file) # BDM - for all users, send a session-timeout value of 15 minutes (900 seconds) # to the AP. For Cisco AP's you MUST make sure the AP is configured # to honor the Session-Timeout value (it doesn't by default) DEFAULT Session-Timeout := 900, Fall-Through = Yes Put that at the VERY top of your users file. 5. Does my client wlan card and/or card driver need to support WEP dynamic rekeying? Or is it the w2k supplicant which handles this? (in case you missed it below I am using a NetGear WG511 card). As long as your card supports 802.1x I believe you're fine. The supplicant will handle everything else. One think you mi
Re: EAP-TLS and WEP key generation
Hi Bob You might remember from my previous postings that I was connecting via wireless connection using EAP-TLS via a Cisco 1200 AP and a freeradius server, but my connections weren't appearing as WEP encrypted. As per your suggestion, I downloaded kismet (I don't have a Mac) and have it running on my linux laptop as my sniffer..I have not joined this machine to the network, so it is just passively capturing wireless data. I then got another Win2K laptop and connected it to our network using EAP/TLS via the Cisco 1200 and a freeradius server. It all works as before.the client laptop connects OK and the radiusd logging shows MS-MPPE stuff which I believe indicates that WEP keys are being generated. However, kismet does not show the traffic as encrypted.. Also, if I open the dump formatted file that kismet generates using ethereal I can see the data inside packets..eg: the echo's from a telnet session are readable in ASCIIno WEP key required to decode, and besides, my sniffer doesn't know the key to decode. Either it is possible to have EAP-TLS without WEP, or I have badly missed something in my configuration.probably the latter. I would be most grateful for any help in unravelling this... Thanx in advance Chris. From: Bob McCormick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Thu, 20 May 2004 10:52:14 -0600 On May 20, 2004, at 10:08 AM, Chris Bshaw wrote: Hi Thanx to everyone who has replied so farvery helpful. A few more questions. Bob.I tried your settings below. My client does connect and I can see the EAP-TLS exchange via the radiusd debugging info. I also see MS-MPPE-Recv-Key and MS-MPPE-Send-Key in the debug output, and in ethereal on the client I see the EAPOL packets. However. 1. Again, both ends say security = none (or Encryption = off) On the AP, what command are you running that says there is no encryption? 2. A show logging on the AP has a line like this when a client machine associates with it: *Mar 3 01:26:04.607: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0009.5b65.d55c Associated KEY_MGMT[NONE] .is KEY_MGMT[NONE] relevant here? Do you have TKIP or CKIP enabled in your config? The config I sent you does not. It's possible the log message is talking about TKIP key management? I'm not certain. 3. I thought guest-mode meant that anyone could connect without EAP (or WEP)am I wrong on this? You are completely wrong. :-) A Cisco AP can support multiple SSID's, but only one SSID can be broadcast in the beacon. The SSID that is in "Guest mode" is the one being beaconed. You can also have no guest mode SSID's at all, and then no SSID will be included in your AP's beacons. (but it *will* still beacon). 4. I set the dynamic rekeying interval to 120 seconds (instead of 600 seconds as you have below).however, after the first successful connection, I never see any transaction on the radiusd server.you mention I should configure the AP to honor the Session-Timeout from the radius server.should I also set Session-Timeout = 120 on the freeradius server and if so where? (eg: in the raddb/attrs file?)... When you're using 802.1x authentication, there are actually 2 wep keys involved. One is the per-user key assigned by the radius server. It's used to encrypt unicast traffic. Then there is a broadcast key used to encrypt broadcast and multicast traffic. That key is shared by all clients that are associated to the AP. The statement "broadcast-key change 600", causes a Cisco AP to change the broadcast WEP key every 600 seconds and distribute the new key to all associated clients. The Session-Timeout causes the AP to disassociate the client from the AP. When client will attempt to automatically re-associate. When it does, the radius server will give the client a new unicast WEP key.So yes, in addition to telling the AP to honor the Session-Timeout, you will need to tell Freeradius to send a Session-Timeout. It looks like this: (in your Freeradius users file) # BDM - for all users, send a session-timeout value of 15 minutes (900 seconds) # to the AP. For Cisco AP's you MUST make sure the AP is configured # to honor the Session-Timeout value (it doesn't by default) DEFAULT Session-Timeout := 900, Fall-Through = Yes Put that at the VERY top of your users file. 5. Does my client wlan card and/or card driver need to support WEP dynamic rekeying? Or is it the w2k supplicant which handles this? (in case you missed it below I am using a NetGear WG511 card). As long as your card supports 802.1x I believe you're fine. The supplicant will handle everything else. One think you might do to verify that your clients *are* indeed using a WEP key would be to download a wireless sni
Re: EAP-TLS and WEP key generation
Sure, you just need an 802.1x supplicant (just like you would for any other OS). These are the ones I know of for Linux: Xsupplicant (OpenSource) http://open1x.sourceforge.net/ Meetinghouse Aegis client (Commercial Proprietary) http://www.mtghouse.com/products/aegisclient/index.shtml On May 21, 2004, at 10:55 AM, Jeff Bilder wrote: is it possible to have wireless linux users authenticate with EAP? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Bshaw Sent: Friday, May 21, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Hi all Thanx for all the info. I would certainly like to see your Word doc on the subject. Yet another question.is there any advantage to using 802.1x + TKIP + MIC instead of the config you helped me get working? TIA Chris. From: Bob McCormick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Fri, 21 May 2004 10:04:03 -0600 To add the the WPA confusion, there are actually two types of authentication within the WPA "standard". There's 802.1x + TKIP + MIC for enterprises, then there's something called WPA personal that's for home users or really small businesses that don't have a Radius server. BTW. I've got an MS-Word doc with screenshots for how to configure XP for PEAP. I could post it to the list of you'd like? On May 21, 2004, at 10:02 AM, Alan DeKok wrote: Bob McCormick <[EMAIL PROTECTED]> wrote: Errr.. That's because Freeradius doesn't have to. WPA is a combination of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be supported by your AP and your client (supplicant), but the radius server doesn't need to know anything about it. Hmm... Ok. Now I have to figure out why my XP laptop asks for a "network key" (i.e. wpa), but refuses to authenticate via PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS and WEP key generation
is it possible to have wireless linux users authenticate with EAP? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Bshaw Sent: Friday, May 21, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Hi all Thanx for all the info. I would certainly like to see your Word doc on the subject. Yet another question.is there any advantage to using 802.1x + TKIP + MIC instead of the config you helped me get working? TIA Chris. >From: Bob McCormick <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Re: EAP-TLS and WEP key generation Date: Fri, 21 May 2004 10:04:03 >-0600 > >To add the the WPA confusion, there are actually two types of >authentication within the WPA "standard". There's 802.1x + TKIP + MIC for >enterprises, then there's something called WPA personal that's for home >users or really small businesses that don't have a Radius server. > >BTW. I've got an MS-Word doc with screenshots for how to configure XP for >PEAP. I could post it to the list of you'd like? > >On May 21, 2004, at 10:02 AM, Alan DeKok wrote: > >>Bob McCormick <[EMAIL PROTECTED]> wrote: >>>Errr.. That's because Freeradius doesn't have to. WPA is a combination >>>of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be >>>supported by your AP and your client (supplicant), but the radius >>>server doesn't need to know anything about it. >> >> Hmm... Ok. Now I have to figure out why my XP laptop asks for a >>"network key" (i.e. wpa), but refuses to authenticate via PEAP. >> >> Alan DeKok. >> >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> > >- List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Hi all Thanx for all the info. I would certainly like to see your Word doc on the subject. Yet another question.is there any advantage to using 802.1x + TKIP + MIC instead of the config you helped me get working? TIA Chris. From: Bob McCormick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Fri, 21 May 2004 10:04:03 -0600 To add the the WPA confusion, there are actually two types of authentication within the WPA "standard". There's 802.1x + TKIP + MIC for enterprises, then there's something called WPA personal that's for home users or really small businesses that don't have a Radius server. BTW. I've got an MS-Word doc with screenshots for how to configure XP for PEAP. I could post it to the list of you'd like? On May 21, 2004, at 10:02 AM, Alan DeKok wrote: Bob McCormick <[EMAIL PROTECTED]> wrote: Errr.. That's because Freeradius doesn't have to. WPA is a combination of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be supported by your AP and your client (supplicant), but the radius server doesn't need to know anything about it. Hmm... Ok. Now I have to figure out why my XP laptop asks for a "network key" (i.e. wpa), but refuses to authenticate via PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
To add the the WPA confusion, there are actually two types of authentication within the WPA "standard". There's 802.1x + TKIP + MIC for enterprises, then there's something called WPA personal that's for home users or really small businesses that don't have a Radius server. BTW. I've got an MS-Word doc with screenshots for how to configure XP for PEAP. I could post it to the list of you'd like? On May 21, 2004, at 10:02 AM, Alan DeKok wrote: Bob McCormick <[EMAIL PROTECTED]> wrote: Errr.. That's because Freeradius doesn't have to. WPA is a combination of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be supported by your AP and your client (supplicant), but the radius server doesn't need to know anything about it. Hmm... Ok. Now I have to figure out why my XP laptop asks for a "network key" (i.e. wpa), but refuses to authenticate via PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Bob McCormick <[EMAIL PROTECTED]> wrote: > Errr.. That's because Freeradius doesn't have to. WPA is a combination > of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be > supported by your AP and your client (supplicant), but the radius > server doesn't need to know anything about it. Hmm... Ok. Now I have to figure out why my XP laptop asks for a "network key" (i.e. wpa), but refuses to authenticate via PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Errr.. That's because Freeradius doesn't have to. WPA is a combination of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be supported by your AP and your client (supplicant), but the radius server doesn't need to know anything about it. I've tested WPA with a Cisco 1100 AP, Freeradius (for the 802.1x authentication) and both Windows XP and Mac OSX 10.3 clients. It works great. On May 21, 2004, at 8:34 AM, Alan DeKok wrote: "Chris Bshaw" <[EMAIL PROTECTED]> wrote: Can I (and if so should I) use WPA key management with the setup I have and if so how do I configure freeradius for this? FreeRADIUS doesn't do WPA or TKIP. If I can't use WPA, is EAP-TLS + regular WEP rekeying considered to be secure enough? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
"Chris Bshaw" <[EMAIL PROTECTED]> wrote: > Can I (and if so should I) use WPA key management with the setup I have and > if so how do I configure freeradius for this? FreeRADIUS doesn't do WPA or TKIP. > If I can't use WPA, is EAP-TLS + regular WEP rekeying considered to be > secure enough? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Hi
Thanx for this reply and your previous one.
I tried the Session-Timeout in the radius users file and it works.so
thanx for that.
To answer one of your questions, on the AP I go to the web interface for the
AP and in there I go into Associations. I then select my client from the
list to get its association details and in there it says Encryption = Off.
I'll try kismet as soon as I can.
As regards the WPA TKIP key management command you mention below, if I
understand correctly WPA is supposed to be much better than WEP.
Can I (and if so should I) use WPA key management with the setup I have and
if so how do I configure freeradius for this?
If I can't use WPA, is EAP-TLS + regular WEP rekeying considered to be
secure enough?
Thanx in advance again.
Chris Bradshaw
From: Bob McCormick <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: EAP-TLS and WEP key generation
Date: Thu, 20 May 2004 15:48:35 -0600
On May 20, 2004, at 10:08 AM, Chris Bshaw wrote:
Hi
Thanx to everyone who has replied so farvery helpful. A few more
questions.
Bob.I tried your settings below. My client does connect and I can see
the EAP-TLS exchange via the radiusd debugging info. I also see
MS-MPPE-Recv-Key and MS-MPPE-Send-Key in the debug output, and in
ethereal on the client I see the EAPOL packets. However.
1. Again, both ends say security = none (or Encryption = off)
2. A show logging on the AP has a line like this when a client machine
associates with it:
*Mar 3 01:26:04.607: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
0009.5b65.d55c Associated KEY_MGMT[NONE]
.is KEY_MGMT[NONE] relevant here?
I think I may have found what that message is referring to. Under each
SSID you can put the command "authentication key-management { [wpa] [cckm]
} [ optional ]". My guess is that you don't have this command.
I believe this is part of enabling TKIP(wpa) or the older Cisco
proprietary CCKM.
Here's a URL for more info.
http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/
products_command_reference_chapter09186a00801d016c.html#2484789
3. I thought guest-mode meant that anyone could connect without EAP (or
WEP)am I wrong on this?
4. I set the dynamic rekeying interval to 120 seconds (instead of 600
seconds as you have below).however, after the first successful
connection, I never see any transaction on the radiusd server.you
mention I should configure the AP to honor the Session-Timeout from the
radius server.should I also set Session-Timeout = 120 on the
freeradius server and if so where? (eg: in the raddb/attrs file?)...
5. Does my client wlan card and/or card driver need to support WEP
dynamic rekeying? Or is it the w2k supplicant which handles this? (in
case you missed it below I am using a NetGear WG511 card).
Thanx again in advance
Chris Bradshaw
From: Bob McCormick <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: EAP-TLS and WEP key generation
Date: Thu, 20 May 2004 08:54:41 -0600
What kind of cipher suite did you configure on your AP? For a Cisco
AP, you should have something like this:
interface Dot11Radio0
no ip address
no ip route-cache
! # Require wep128 encryption
encryption mode ciphers wep128
! # rotate broadcast wep key every 10 minutes
broadcast-key change 600
! # Create an SSID named "ssid1"
! # Require EAP authentication
! # broadcast the SSID
ssid ssid1
authentication open eap eap_methods
guest-mode
! ## set the data rates support and/or required by the AP
! ## These are the rates recommended by Cisco for best throughput
! ## for supporting both 802.11.b and 802.11g
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
You'll also need to configure the AP to honor the Session-Timeout value
returned by the Radius server (by default, Cisco AP's don't).
! ## Tell the AP to honor the Session-Timeout returned by the Radius
server
dot1x reauth-period server
On May 20, 2004, at 3:28 AM, Chris Bshaw wrote:
Hi Andrea
Thanx for the reply. Using ethereal I can see the EAPOL packets on the
wireless client.
However, if I go into the status monitor for the wireless card, its
says security = none (would normally say security = wep if I was using
static non-EAP/TLS wep).
Also, as I mentioned below, the Cisco AP also says that the client is
'EAP-associated' but that Encryption is off.
However, everything works.I am connected to the WLAN just
fine.I am just unsure whether or not my connection is encrypted
with a WEP key.
I have read some more on this. I am not sure if I understand this
correctlyso feel free to correct me. Once the mutual authentication
is complete via EAP, the AP maintains per-client WEP keys which are
generated once per 1x auth (a
Re: EAP-TLS and WEP key generation
On May 20, 2004, at 10:08 AM, Chris Bshaw wrote:
Hi
Thanx to everyone who has replied so farvery helpful. A few more
questions.
Bob.I tried your settings below. My client does connect and I can
see the EAP-TLS exchange via the radiusd debugging info. I also see
MS-MPPE-Recv-Key and MS-MPPE-Send-Key in the debug output, and in
ethereal on the client I see the EAPOL packets. However.
1. Again, both ends say security = none (or Encryption = off)
2. A show logging on the AP has a line like this when a client machine
associates with it:
*Mar 3 01:26:04.607: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
0009.5b65.d55c Associated KEY_MGMT[NONE]
.is KEY_MGMT[NONE] relevant here?
I think I may have found what that message is referring to. Under each
SSID you can put the command "authentication key-management { [wpa]
[cckm] } [ optional ]". My guess is that you don't have this command.
I believe this is part of enabling TKIP(wpa) or the older Cisco
proprietary CCKM.
Here's a URL for more info.
http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/
products_command_reference_chapter09186a00801d016c.html#2484789
3. I thought guest-mode meant that anyone could connect without EAP
(or WEP)am I wrong on this?
4. I set the dynamic rekeying interval to 120 seconds (instead of 600
seconds as you have below).however, after the first successful
connection, I never see any transaction on the radiusd server.you
mention I should configure the AP to honor the Session-Timeout from
the radius server.should I also set Session-Timeout = 120 on the
freeradius server and if so where? (eg: in the raddb/attrs file?)...
5. Does my client wlan card and/or card driver need to support WEP
dynamic rekeying? Or is it the w2k supplicant which handles this? (in
case you missed it below I am using a NetGear WG511 card).
Thanx again in advance
Chris Bradshaw
From: Bob McCormick <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: EAP-TLS and WEP key generation
Date: Thu, 20 May 2004 08:54:41 -0600
What kind of cipher suite did you configure on your AP? For a Cisco
AP, you should have something like this:
interface Dot11Radio0
no ip address
no ip route-cache
! # Require wep128 encryption
encryption mode ciphers wep128
! # rotate broadcast wep key every 10 minutes
broadcast-key change 600
! # Create an SSID named "ssid1"
! # Require EAP authentication
! # broadcast the SSID
ssid ssid1
authentication open eap eap_methods
guest-mode
! ## set the data rates support and/or required by the AP
! ## These are the rates recommended by Cisco for best throughput
! ## for supporting both 802.11.b and 802.11g
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0
24.0 36.0 48.0 54.0
You'll also need to configure the AP to honor the Session-Timeout
value returned by the Radius server (by default, Cisco AP's don't).
! ## Tell the AP to honor the Session-Timeout returned by the
Radius server
dot1x reauth-period server
On May 20, 2004, at 3:28 AM, Chris Bshaw wrote:
Hi Andrea
Thanx for the reply. Using ethereal I can see the EAPOL packets on
the wireless client.
However, if I go into the status monitor for the wireless card, its
says security = none (would normally say security = wep if I was
using static non-EAP/TLS wep).
Also, as I mentioned below, the Cisco AP also says that the client
is 'EAP-associated' but that Encryption is off.
However, everything works.I am connected to the WLAN just
fine.I am just unsure whether or not my connection is encrypted
with a WEP key.
I have read some more on this. I am not sure if I understand this
correctlyso feel free to correct me. Once the mutual
authentication is complete via EAP, the AP maintains per-client WEP
keys which are generated once per 1x auth (and can be regenerated
after some period of time, e.g. 1 hr) and a broadcast WEP key which
is the same across clients (also can be regenerated after some
period of time.)
So it seems that the AP is responsible for the WEP keys and their
rotation..correct?
If so, I currently have WEP encrypyion disabled on my AP, and on my
client. I had assumed that EAP-TLS took care of everything.
How do you have your client and hostapd configured? Do you have WEP
enabled?
If so, since the keys are generated dynamically, do you just leave
the WEP key fields on the client and AP blank?
Thanx in advance
Chris Bradshaw
From: "Andrea G. Forte" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: EAP-TLS and WEP key generation
Date: Wed, 19 May 2004 17:25:12 -0400 (EDT)
Chris,
the whole purpose of 802.1x is to generate a secure auth mechanism
and
dynamic re-keying. I have used hostapd together with freeradius and
th
Re: EAP-TLS and WEP key generation
On May 20, 2004, at 10:08 AM, Chris Bshaw wrote: Hi Thanx to everyone who has replied so farvery helpful. A few more questions. Bob.I tried your settings below. My client does connect and I can see the EAP-TLS exchange via the radiusd debugging info. I also see MS-MPPE-Recv-Key and MS-MPPE-Send-Key in the debug output, and in ethereal on the client I see the EAPOL packets. However. 1. Again, both ends say security = none (or Encryption = off) On the AP, what command are you running that says there is no encryption? 2. A show logging on the AP has a line like this when a client machine associates with it: *Mar 3 01:26:04.607: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0009.5b65.d55c Associated KEY_MGMT[NONE] .is KEY_MGMT[NONE] relevant here? Do you have TKIP or CKIP enabled in your config? The config I sent you does not. It's possible the log message is talking about TKIP key management? I'm not certain. 3. I thought guest-mode meant that anyone could connect without EAP (or WEP)am I wrong on this? You are completely wrong. :-) A Cisco AP can support multiple SSID's, but only one SSID can be broadcast in the beacon. The SSID that is in "Guest mode" is the one being beaconed. You can also have no guest mode SSID's at all, and then no SSID will be included in your AP's beacons. (but it *will* still beacon). 4. I set the dynamic rekeying interval to 120 seconds (instead of 600 seconds as you have below).however, after the first successful connection, I never see any transaction on the radiusd server.you mention I should configure the AP to honor the Session-Timeout from the radius server.should I also set Session-Timeout = 120 on the freeradius server and if so where? (eg: in the raddb/attrs file?)... When you're using 802.1x authentication, there are actually 2 wep keys involved. One is the per-user key assigned by the radius server. It's used to encrypt unicast traffic. Then there is a broadcast key used to encrypt broadcast and multicast traffic. That key is shared by all clients that are associated to the AP. The statement "broadcast-key change 600", causes a Cisco AP to change the broadcast WEP key every 600 seconds and distribute the new key to all associated clients. The Session-Timeout causes the AP to disassociate the client from the AP. When client will attempt to automatically re-associate. When it does, the radius server will give the client a new unicast WEP key.So yes, in addition to telling the AP to honor the Session-Timeout, you will need to tell Freeradius to send a Session-Timeout. It looks like this: (in your Freeradius users file) # BDM - for all users, send a session-timeout value of 15 minutes (900 seconds) # to the AP. For Cisco AP's you MUST make sure the AP is configured # to honor the Session-Timeout value (it doesn't by default) DEFAULT Session-Timeout := 900, Fall-Through = Yes Put that at the VERY top of your users file. 5. Does my client wlan card and/or card driver need to support WEP dynamic rekeying? Or is it the w2k supplicant which handles this? (in case you missed it below I am using a NetGear WG511 card). As long as your card supports 802.1x I believe you're fine. The supplicant will handle everything else. One think you might do to verify that your clients *are* indeed using a WEP key would be to download a wireless sniffer like Kismet (or Kismac for Macintosh). They'll tell you if the traffic on the SSID is WEP encrypted or not. Kismac is a damn useful tool to have around anyway. It's a great way to look for rogue AP's, even if they have hidden SSID's. The config snippets I sent you are from my Cisco 1100 AP, and Kismac shows it's SSID as WEP encrypted. Thanx again in advance Chris Bradshaw From: Bob McCormick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Thu, 20 May 2004 08:54:41 -0600 What kind of cipher suite did you configure on your AP? For a Cisco AP, you should have something like this: interface Dot11Radio0 no ip address no ip route-cache ! # Require wep128 encryption encryption mode ciphers wep128 ! # rotate broadcast wep key every 10 minutes broadcast-key change 600 ! # Create an SSID named "ssid1" ! # Require EAP authentication ! # broadcast the SSID ssid ssid1 authentication open eap eap_methods guest-mode ! ## set the data rates support and/or required by the AP ! ## These are the rates recommended by Cisco for best throughput ! ## for supporting both 802.11.b and 802.11g speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 You'll also need to configure the AP to honor the Session-Timeout value returned by the Radius server (by default
Re: EAP-TLS and WEP key generation
Hi Thanx to everyone who has replied so farvery helpful. A few more questions. Bob.I tried your settings below. My client does connect and I can see the EAP-TLS exchange via the radiusd debugging info. I also see MS-MPPE-Recv-Key and MS-MPPE-Send-Key in the debug output, and in ethereal on the client I see the EAPOL packets. However. 1. Again, both ends say security = none (or Encryption = off) 2. A show logging on the AP has a line like this when a client machine associates with it: *Mar 3 01:26:04.607: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0009.5b65.d55c Associated KEY_MGMT[NONE] .is KEY_MGMT[NONE] relevant here? 3. I thought guest-mode meant that anyone could connect without EAP (or WEP)am I wrong on this? 4. I set the dynamic rekeying interval to 120 seconds (instead of 600 seconds as you have below).however, after the first successful connection, I never see any transaction on the radiusd server.you mention I should configure the AP to honor the Session-Timeout from the radius server.should I also set Session-Timeout = 120 on the freeradius server and if so where? (eg: in the raddb/attrs file?)... 5. Does my client wlan card and/or card driver need to support WEP dynamic rekeying? Or is it the w2k supplicant which handles this? (in case you missed it below I am using a NetGear WG511 card). Thanx again in advance Chris Bradshaw From: Bob McCormick <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Thu, 20 May 2004 08:54:41 -0600 What kind of cipher suite did you configure on your AP? For a Cisco AP, you should have something like this: interface Dot11Radio0 no ip address no ip route-cache ! # Require wep128 encryption encryption mode ciphers wep128 ! # rotate broadcast wep key every 10 minutes broadcast-key change 600 ! # Create an SSID named "ssid1" ! # Require EAP authentication ! # broadcast the SSID ssid ssid1 authentication open eap eap_methods guest-mode ! ## set the data rates support and/or required by the AP ! ## These are the rates recommended by Cisco for best throughput ! ## for supporting both 802.11.b and 802.11g speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 You'll also need to configure the AP to honor the Session-Timeout value returned by the Radius server (by default, Cisco AP's don't). ! ## Tell the AP to honor the Session-Timeout returned by the Radius server dot1x reauth-period server On May 20, 2004, at 3:28 AM, Chris Bshaw wrote: Hi Andrea Thanx for the reply. Using ethereal I can see the EAPOL packets on the wireless client. However, if I go into the status monitor for the wireless card, its says security = none (would normally say security = wep if I was using static non-EAP/TLS wep). Also, as I mentioned below, the Cisco AP also says that the client is 'EAP-associated' but that Encryption is off. However, everything works.I am connected to the WLAN just fine.I am just unsure whether or not my connection is encrypted with a WEP key. I have read some more on this. I am not sure if I understand this correctlyso feel free to correct me. Once the mutual authentication is complete via EAP, the AP maintains per-client WEP keys which are generated once per 1x auth (and can be regenerated after some period of time, e.g. 1 hr) and a broadcast WEP key which is the same across clients (also can be regenerated after some period of time.) So it seems that the AP is responsible for the WEP keys and their rotation..correct? If so, I currently have WEP encrypyion disabled on my AP, and on my client. I had assumed that EAP-TLS took care of everything. How do you have your client and hostapd configured? Do you have WEP enabled? If so, since the keys are generated dynamically, do you just leave the WEP key fields on the client and AP blank? Thanx in advance Chris Bradshaw From: "Andrea G. Forte" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Wed, 19 May 2004 17:25:12 -0400 (EDT) Chris, the whole purpose of 802.1x is to generate a secure auth mechanism and dynamic re-keying. I have used hostapd together with freeradius and the key generation as well as the re-keying are automatic. You can set the re-keying interval as well. I am not familiar with your setup, but a way to find out, would be to sniff the traffic and look for EAPOL-Key frames which are exchanged at the end of the auth process. Hope this can help. Andrea On Wed, 19 May 2004, Chris Bshaw wrote: > Hi > > I have created the following setup: > > W2K 802.1x supplicant client with NetGear WG511 card > Cisco Aironet 1200 AP > RH9 Linux server with a cvs download of freeradius > > As per the many docs
Re: EAP-TLS and WEP key generation
"Htin Hlaing" <[EMAIL PROTECTED]> wrote: > My understanding was that RADIUS server is responsible generating > the first set of keys (mppe keys) which is used by the client and AP > as the master key to generate their dynamic encyrption keys and they > will do the further generation of keys at "rotation". So, RADIUS > server is involved only in the generation of the master key at > authentication time. Is this correct? No. There is no "master" key. When the current dynamic WEP key expires, the user re-authenticates, and gets a new dynamic WEP key. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
What kind of cipher suite did you configure on your AP? For a Cisco AP, you should have something like this: interface Dot11Radio0 no ip address no ip route-cache ! # Require wep128 encryption encryption mode ciphers wep128 ! # rotate broadcast wep key every 10 minutes broadcast-key change 600 ! # Create an SSID named "ssid1" ! # Require EAP authentication ! # broadcast the SSID ssid ssid1 authentication open eap eap_methods guest-mode ! ## set the data rates support and/or required by the AP ! ## These are the rates recommended by Cisco for best throughput ! ## for supporting both 802.11.b and 802.11g speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 You'll also need to configure the AP to honor the Session-Timeout value returned by the Radius server (by default, Cisco AP's don't). ! ## Tell the AP to honor the Session-Timeout returned by the Radius server dot1x reauth-period server On May 20, 2004, at 3:28 AM, Chris Bshaw wrote: Hi Andrea Thanx for the reply. Using ethereal I can see the EAPOL packets on the wireless client. However, if I go into the status monitor for the wireless card, its says security = none (would normally say security = wep if I was using static non-EAP/TLS wep). Also, as I mentioned below, the Cisco AP also says that the client is 'EAP-associated' but that Encryption is off. However, everything works.I am connected to the WLAN just fine.I am just unsure whether or not my connection is encrypted with a WEP key. I have read some more on this. I am not sure if I understand this correctlyso feel free to correct me. Once the mutual authentication is complete via EAP, the AP maintains per-client WEP keys which are generated once per 1x auth (and can be regenerated after some period of time, e.g. 1 hr) and a broadcast WEP key which is the same across clients (also can be regenerated after some period of time.) So it seems that the AP is responsible for the WEP keys and their rotation..correct? If so, I currently have WEP encrypyion disabled on my AP, and on my client. I had assumed that EAP-TLS took care of everything. How do you have your client and hostapd configured? Do you have WEP enabled? If so, since the keys are generated dynamically, do you just leave the WEP key fields on the client and AP blank? Thanx in advance Chris Bradshaw From: "Andrea G. Forte" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Wed, 19 May 2004 17:25:12 -0400 (EDT) Chris, the whole purpose of 802.1x is to generate a secure auth mechanism and dynamic re-keying. I have used hostapd together with freeradius and the key generation as well as the re-keying are automatic. You can set the re-keying interval as well. I am not familiar with your setup, but a way to find out, would be to sniff the traffic and look for EAPOL-Key frames which are exchanged at the end of the auth process. Hope this can help. Andrea On Wed, 19 May 2004, Chris Bshaw wrote: > Hi > > I have created the following setup: > > W2K 802.1x supplicant client with NetGear WG511 card > Cisco Aironet 1200 AP > RH9 Linux server with a cvs download of freeradius > > As per the many docs on the subject, I have successfully setup > EAP-TLS.however, I can't tell if WEP keys are being generated. > > When I look on the web admin page of the Aironet 1200 the associations list > says that my W2K client is EAP-associated (so that works OK) but Encryption > is marked as 'none'. > > and I have looked in the radiusd logs but can't work out whether WEP > keys are being generated. I know that the session key is used to generate > the keys, so perhaps something in the logs (without the word WEP in it) is > responsible for WEP key generation. > > I thought that if you used EAP-TLS then you automatically got WEP keys > generated? Is this true? > If so how can I confirm that this is happening (other than trying to sniff > the traffic off the air to see if it is encrypted ;-)... > > If this isn't true, does this mean that it is possible to use EAP-TLS > without WEP key generation? > > If so, are there extra steps I need to follow to activate WEP key generation > as part of EAP-TLS? > > Sorry if some of these questions seem a bit strangeI am a bit new to > 802.1x and EAP > > Thanx in advance for any help. > > Chris Bradshaw > > _ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe
RE: EAP-TLS and WEP key generation
Hi Alan, > > So it seems that the AP is responsible for the WEP keys and their > > rotation..correct? > > Yes and no. It's responsible for using the keys, and asking for > their rotation, but the RADIUS server generates the keys. > [Htin Hlaing] My understanding was that RADIUS server is responsible generating the first set of keys (mppe keys) which is used by the client and AP as the master key to generate their dynamic encyrption keys and they will do the further generation of keys at "rotation". So, RADIUS server is involved only in the generation of the master key at authentication time. Is this correct? Thanks, Htin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Chris, you do not have to worry about setting the keys manually. The EAP-tls takes care of it. You have to set the keys manually, or better use static keys, only if you wish to use WEP and nothing else. If you use WPA then the Radius server takes care of it together with the authenticator. Once authenticated by using EAP-tls, if you sniff your traffic you will see all WEP data frames. Andrea On Thu, 20 May 2004, Chris Bshaw wrote: > Hi Andrea > > Thanx for the reply. Using ethereal I can see the EAPOL packets on the > wireless client. > > However, if I go into the status monitor for the wireless card, its says > security = none (would normally say security = wep if I was using static > non-EAP/TLS wep). > > Also, as I mentioned below, the Cisco AP also says that the client is > 'EAP-associated' but that Encryption is off. > > However, everything works.I am connected to the WLAN just fine.I am > just unsure whether or not my connection is encrypted with a WEP key. > > I have read some more on this. I am not sure if I understand this > correctlyso feel free to correct me. Once the mutual authentication is > complete via EAP, the AP maintains per-client WEP keys which are generated > once per 1x auth (and can be regenerated after some period of time, e.g. 1 > hr) and a broadcast WEP key which is the same across clients (also can be > regenerated after some period of time.) > > So it seems that the AP is responsible for the WEP keys and their > rotation..correct? > > If so, I currently have WEP encrypyion disabled on my AP, and on my client. > I had assumed that EAP-TLS took care of everything. > > How do you have your client and hostapd configured? Do you have WEP enabled? > If so, since the keys are generated dynamically, do you just leave the WEP > key fields on the client and AP blank? > > Thanx in advance > > Chris Bradshaw > > > >From: "Andrea G. Forte" <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: [EMAIL PROTECTED] > >Subject: Re: EAP-TLS and WEP key generation > >Date: Wed, 19 May 2004 17:25:12 -0400 (EDT) > > > >Chris, > > > >the whole purpose of 802.1x is to generate a secure auth mechanism and > >dynamic re-keying. I have used hostapd together with freeradius and the > >key generation as well as the re-keying are automatic. You can set the > >re-keying interval as well. > >I am not familiar with your setup, but a way to find out, would be to > >sniff the traffic and look for EAPOL-Key frames which are exchanged at the > >end of the auth process. > > > >Hope this can help. > >Andrea > > > >On Wed, 19 May 2004, Chris Bshaw wrote: > > > > > Hi > > > > > > I have created the following setup: > > > > > > W2K 802.1x supplicant client with NetGear WG511 card > > > Cisco Aironet 1200 AP > > > RH9 Linux server with a cvs download of freeradius > > > > > > As per the many docs on the subject, I have successfully setup > > > EAP-TLS.however, I can't tell if WEP keys are being generated. > > > > > > When I look on the web admin page of the Aironet 1200 the associations > >list > > > says that my W2K client is EAP-associated (so that works OK) but > >Encryption > > > is marked as 'none'. > > > > > > and I have looked in the radiusd logs but can't work out whether WEP > > > keys are being generated. I know that the session key is used to > >generate > > > the keys, so perhaps something in the logs (without the word WEP in it) > >is > > > responsible for WEP key generation. > > > > > > I thought that if you used EAP-TLS then you automatically got WEP keys > > > generated? Is this true? > > > If so how can I confirm that this is happening (other than trying to > >sniff > > > the traffic off the air to see if it is encrypted ;-)... > > > > > > If this isn't true, does this mean that it is possible to use EAP-TLS > > > without WEP key generation? > > > > > > If so, are there extra steps I need to follow to activate WEP key > >generation > > > as part of EAP-TLS? > > > > > > Sorry if some of these questions seem a bit strangeI am a bit new to > > > 802.1x and EAP > > > > > > Thanx in advance for any help. > > > > > > Chris Bradshaw > > > > > > _ > > > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > > > http://join.msn.com/?page=features/junkmail > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > _ > Tired of spam? Get advanced junk mail protection with MSN 8. > http://join.msn.com/?page=features/junkmail > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
"Chris Bshaw" <[EMAIL PROTECTED]> wrote: > However, everything works.I am connected to the WLAN just fine.I am > just unsure whether or not my connection is encrypted with a WEP key. Run the server in debugging mode. If you see it sending "MPPE" keys to the AP, then your wireless traffic is encrypted. > I have read some more on this. I am not sure if I understand this > correctlyso feel free to correct me. Once the mutual authentication is > complete via EAP, the AP maintains per-client WEP keys which are generated > once per 1x auth (and can be regenerated after some period of time, e.g. 1 > hr) and a broadcast WEP key which is the same across clients (also can be > regenerated after some period of time.) Yes. > So it seems that the AP is responsible for the WEP keys and their > rotation..correct? Yes and no. It's responsible for using the keys, and asking for their rotation, but the RADIUS server generates the keys. > If so, I currently have WEP encrypyion disabled on my AP, and on my client. > I had assumed that EAP-TLS took care of everything. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Hi Andrea Thanx for the reply. Using ethereal I can see the EAPOL packets on the wireless client. However, if I go into the status monitor for the wireless card, its says security = none (would normally say security = wep if I was using static non-EAP/TLS wep). Also, as I mentioned below, the Cisco AP also says that the client is 'EAP-associated' but that Encryption is off. However, everything works.I am connected to the WLAN just fine.I am just unsure whether or not my connection is encrypted with a WEP key. I have read some more on this. I am not sure if I understand this correctlyso feel free to correct me. Once the mutual authentication is complete via EAP, the AP maintains per-client WEP keys which are generated once per 1x auth (and can be regenerated after some period of time, e.g. 1 hr) and a broadcast WEP key which is the same across clients (also can be regenerated after some period of time.) So it seems that the AP is responsible for the WEP keys and their rotation..correct? If so, I currently have WEP encrypyion disabled on my AP, and on my client. I had assumed that EAP-TLS took care of everything. How do you have your client and hostapd configured? Do you have WEP enabled? If so, since the keys are generated dynamically, do you just leave the WEP key fields on the client and AP blank? Thanx in advance Chris Bradshaw From: "Andrea G. Forte" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Wed, 19 May 2004 17:25:12 -0400 (EDT) Chris, the whole purpose of 802.1x is to generate a secure auth mechanism and dynamic re-keying. I have used hostapd together with freeradius and the key generation as well as the re-keying are automatic. You can set the re-keying interval as well. I am not familiar with your setup, but a way to find out, would be to sniff the traffic and look for EAPOL-Key frames which are exchanged at the end of the auth process. Hope this can help. Andrea On Wed, 19 May 2004, Chris Bshaw wrote: > Hi > > I have created the following setup: > > W2K 802.1x supplicant client with NetGear WG511 card > Cisco Aironet 1200 AP > RH9 Linux server with a cvs download of freeradius > > As per the many docs on the subject, I have successfully setup > EAP-TLS.however, I can't tell if WEP keys are being generated. > > When I look on the web admin page of the Aironet 1200 the associations list > says that my W2K client is EAP-associated (so that works OK) but Encryption > is marked as 'none'. > > and I have looked in the radiusd logs but can't work out whether WEP > keys are being generated. I know that the session key is used to generate > the keys, so perhaps something in the logs (without the word WEP in it) is > responsible for WEP key generation. > > I thought that if you used EAP-TLS then you automatically got WEP keys > generated? Is this true? > If so how can I confirm that this is happening (other than trying to sniff > the traffic off the air to see if it is encrypted ;-)... > > If this isn't true, does this mean that it is possible to use EAP-TLS > without WEP key generation? > > If so, are there extra steps I need to follow to activate WEP key generation > as part of EAP-TLS? > > Sorry if some of these questions seem a bit strangeI am a bit new to > 802.1x and EAP > > Thanx in advance for any help. > > Chris Bradshaw > > _ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Chris, the whole purpose of 802.1x is to generate a secure auth mechanism and dynamic re-keying. I have used hostapd together with freeradius and the key generation as well as the re-keying are automatic. You can set the re-keying interval as well. I am not familiar with your setup, but a way to find out, would be to sniff the traffic and look for EAPOL-Key frames which are exchanged at the end of the auth process. Hope this can help. Andrea On Wed, 19 May 2004, Chris Bshaw wrote: > Hi > > I have created the following setup: > > W2K 802.1x supplicant client with NetGear WG511 card > Cisco Aironet 1200 AP > RH9 Linux server with a cvs download of freeradius > > As per the many docs on the subject, I have successfully setup > EAP-TLS.however, I can't tell if WEP keys are being generated. > > When I look on the web admin page of the Aironet 1200 the associations list > says that my W2K client is EAP-associated (so that works OK) but Encryption > is marked as 'none'. > > and I have looked in the radiusd logs but can't work out whether WEP > keys are being generated. I know that the session key is used to generate > the keys, so perhaps something in the logs (without the word WEP in it) is > responsible for WEP key generation. > > I thought that if you used EAP-TLS then you automatically got WEP keys > generated? Is this true? > If so how can I confirm that this is happening (other than trying to sniff > the traffic off the air to see if it is encrypted ;-)... > > If this isn't true, does this mean that it is possible to use EAP-TLS > without WEP key generation? > > If so, are there extra steps I need to follow to activate WEP key generation > as part of EAP-TLS? > > Sorry if some of these questions seem a bit strangeI am a bit new to > 802.1x and EAP > > Thanx in advance for any help. > > Chris Bradshaw > > _ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and WEP key generation
Hi I have created the following setup: W2K 802.1x supplicant client with NetGear WG511 card Cisco Aironet 1200 AP RH9 Linux server with a cvs download of freeradius As per the many docs on the subject, I have successfully setup EAP-TLS.however, I can't tell if WEP keys are being generated. When I look on the web admin page of the Aironet 1200 the associations list says that my W2K client is EAP-associated (so that works OK) but Encryption is marked as 'none'. and I have looked in the radiusd logs but can't work out whether WEP keys are being generated. I know that the session key is used to generate the keys, so perhaps something in the logs (without the word WEP in it) is responsible for WEP key generation. I thought that if you used EAP-TLS then you automatically got WEP keys generated? Is this true? If so how can I confirm that this is happening (other than trying to sniff the traffic off the air to see if it is encrypted ;-)... If this isn't true, does this mean that it is possible to use EAP-TLS without WEP key generation? If so, are there extra steps I need to follow to activate WEP key generation as part of EAP-TLS? Sorry if some of these questions seem a bit strangeI am a bit new to 802.1x and EAP Thanx in advance for any help. Chris Bradshaw _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
