Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
On Mon, 2 Aug 2004, Christophe Boyanique wrote: > Kostas Kalevras wrote : > > Thanks to you and Artur Hecker for your responses that helped me. > > I chose to implement PEAP and EAP-TTLS on freeradius in order to have a > wide support for Mac OS X and Windows 2000/XP. > > As I want to use LDAP to authenticate users; I may be able to use: > - PAP > - EAP-GTC > - LDAP direct bind That's not an authentication protocol it's just a way of implementing an authentication protocol (like PAP,CHAP,MS-CHAP). > > From the point of view of the supplicant, what is the protocol to use > inside PEAP or EAP-TTLS in order to make freeradius do a LDAP bind ? And > will this protocol be handled by Mac OS X and Windows 2000/XP with or > without xsupplicant ? You should use PAP, that's the protocol which will send clear text passwords which can be used for an ldap bind > > It seems that SecureW2 implements EAP-TTLS+PAP. Yes it does. > > I found documentations saying that Windows XP handles PEAP but I didn't > find what protocols inside PEAP are supported (and MSCHAPv2 does not do > it as passwords are crypted in the LDAP). PEAP is protected EAP. So you 're mostly stack with MSCHAPv2. Use EAP-TTLS instead. > > About Mac OS X, it is suppposed to handle PEAP and EAP-TTLS but I have > the same problem: no mention about "inside" protocols. > > Does anyone has some informations about that ? > > Thanks again for your help, > > Christophe. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
Kostas Kalevras wrote : Thanks to you and Artur Hecker for your responses that helped me. I chose to implement PEAP and EAP-TTLS on freeradius in order to have a wide support for Mac OS X and Windows 2000/XP. As I want to use LDAP to authenticate users; I may be able to use: - PAP - EAP-GTC - LDAP direct bind From the point of view of the supplicant, what is the protocol to use inside PEAP or EAP-TTLS in order to make freeradius do a LDAP bind ? And will this protocol be handled by Mac OS X and Windows 2000/XP with or without xsupplicant ? It seems that SecureW2 implements EAP-TTLS+PAP. I found documentations saying that Windows XP handles PEAP but I didn't find what protocols inside PEAP are supported (and MSCHAPv2 does not do it as passwords are crypted in the LDAP). About Mac OS X, it is suppposed to handle PEAP and EAP-TTLS but I have the same problem: no mention about "inside" protocols. Does anyone has some informations about that ? Thanks again for your help, Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Donnerstag, 29. Juli 2004 17:53 schrieb Christophe Boyanique: > Hello, > > I want to secure a wireless network (operated with Cisco Aironet 1200 > aps) via freeradius connected to an OpenLDAP server; with clients > running Windows 2000, Windows XP and Mac OS-X (>= 10.2). (...) See: http://doris.cc/radius/ - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBCfNfqndXpO3Yl5sRAnGlAJ4v4qoMgTymaP5hWpzJ46hn2RGzBwCeOZm/ P4EqB0P7fCZefM5kmS8nR2s= =9AIL -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
hi But will PAP be supported by supplicants running on Windows and Mac OS-X ? If you are going to use EAP-TTLS you must use the SecureW2 client since windows do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no idea about MacOS X though since it's a unix flavor maybe Xsupplicant can work on it (Xsupplicant supports EAP-TTLS). apparently, xsupplicant works, but with some modifications. however, since Mac OS X (10.3++) there is an integrated client which is more convenient and does support TTLS. http://images.apple.com/macosx/pdf/Security_in_Mac_OS_X.pdf, page 8 ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
On Thu, 29 Jul 2004, Christophe Boyanique wrote:
> Hello,
>
> I want to secure a wireless network (operated with Cisco Aironet 1200
> aps) via freeradius connected to an OpenLDAP server; with clients
> running Windows 2000, Windows XP and Mac OS-X (>= 10.2).
>
> I saw that EAP-MD5 is no recommended (and not supported by Windows XP
> since SP1).
>
> EAP-TLS is not a choice as there is no LDAP interaction from what I've
> read on this mailing-list and other places.
Depends on what you mean by LDAP interaction. You can still use LDAP to
*authorize* the user. EAP-TLS just does certificate authentication so there's
not much LDAP interaction involved (apart from probably verifying the supplied
user certificate through LDAP, though that's not currently supported)
>
> The best choice seems to be EAP-TTLS as it is supported by freeradius
> and the selected clients. But I have some questions about the protocol
> to use inside the TLS tunnel.
>
> It seems that EAP-MD5 is not possible as passwords are stored in {CRYPT}
> format in the LDAP.
> I tried the EAP-MD5+LDAP feature and it works indeed with clear
> passwords. I was wondering if it would be possible to patch the eap-md5
> module to crypt the password sent by the supplicant before comparing it
> with the one from the LDAP ?
Please read the CHAP/EAP-MD5 specification. That's not how the protocol works.
You *need* clear text passwords for EAP-MD5 to work.
>
> I read some things about using PAP inside EAP-TTLS. It seems that
> {CRYPT} passwords work with PAP as I see there is an encryption_scheme
> parameter for PAP.
You can also use the ldap module for authentication instead of the pap module
(authentication through an ldap bind request).
>
> But will PAP be supported by supplicants running on Windows and Mac OS-X ?
If you are going to use EAP-TTLS you must use the SecureW2 client since windows
do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no
idea about MacOS X though since it's a unix flavor maybe Xsupplicant can work on
it (Xsupplicant supports EAP-TTLS).
>
>
> Thank you for your help,
>
> Christophe.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
