subject:"Securing a wireless network with users database in LDAP \(Win and Mac OS\-X clients\)"

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

2004-08-02 Thread Christophe Boyanique

Kostas Kalevras wrote :
Thanks to you and Artur Hecker for your responses that helped me.
I chose to implement PEAP and EAP-TTLS on freeradius in order to have a 
wide support for Mac OS X and Windows 2000/XP.

As I want to use LDAP to authenticate users; I may be able to use:
- PAP
- EAP-GTC
- LDAP direct bind
From the point of view of the supplicant, what is the protocol to use 
inside PEAP or EAP-TTLS in order to make freeradius do a LDAP bind ? And 
will this protocol be handled by Mac OS X and Windows 2000/XP with or 
without xsupplicant ?

It seems that SecureW2 implements EAP-TTLS+PAP.
I found documentations saying that Windows XP handles PEAP but I didn't 
find what protocols inside PEAP are supported (and MSCHAPv2 does not do 
it as passwords are crypted in the LDAP).

About Mac OS X, it is suppposed to handle PEAP and EAP-TTLS but I have 
the same problem: no mention about inside protocols.

Does anyone has some informations about that ?
Thanks again for your help,
Christophe.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

2004-08-02 Thread Kostas Kalevras

On Mon, 2 Aug 2004, Christophe Boyanique wrote:

 Kostas Kalevras wrote :

 Thanks to you and Artur Hecker for your responses that helped me.

 I chose to implement PEAP and EAP-TTLS on freeradius in order to have a
 wide support for Mac OS X and Windows 2000/XP.

 As I want to use LDAP to authenticate users; I may be able to use:
 - PAP
 - EAP-GTC
 - LDAP direct bind

That's not an authentication protocol it's just a way of implementing an
authentication protocol (like PAP,CHAP,MS-CHAP).


  From the point of view of the supplicant, what is the protocol to use
 inside PEAP or EAP-TTLS in order to make freeradius do a LDAP bind ? And
 will this protocol be handled by Mac OS X and Windows 2000/XP with or
 without xsupplicant ?

You should use PAP, that's the protocol which will send clear text passwords
which can be used for an ldap bind


 It seems that SecureW2 implements EAP-TTLS+PAP.

Yes it does.


 I found documentations saying that Windows XP handles PEAP but I didn't
 find what protocols inside PEAP are supported (and MSCHAPv2 does not do
 it as passwords are crypted in the LDAP).

PEAP is protected EAP. So you 're mostly stack with MSCHAPv2. Use EAP-TTLS
instead.


 About Mac OS X, it is suppposed to handle PEAP and EAP-TTLS but I have
 the same problem: no mention about inside protocols.

 Does anyone has some informations about that ?

 Thanks again for your help,

 Christophe.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

2004-07-30 Thread Michael Schwartzkopff

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am Donnerstag, 29. Juli 2004 17:53 schrieb Christophe Boyanique:
 Hello,

 I want to secure a wireless network (operated with Cisco Aironet 1200
 aps) via freeradius connected to an OpenLDAP server; with clients
 running Windows 2000, Windows XP and Mac OS-X (= 10.2).

(...)

See: http://doris.cc/radius/
- -- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBCfNfqndXpO3Yl5sRAnGlAJ4v4qoMgTymaP5hWpzJ46hn2RGzBwCeOZm/
P4EqB0P7fCZefM5kmS8nR2s=
=9AIL
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

2004-07-29 Thread Kostas Kalevras

On Thu, 29 Jul 2004, Christophe Boyanique wrote:

 Hello,

 I want to secure a wireless network (operated with Cisco Aironet 1200
 aps) via freeradius connected to an OpenLDAP server; with clients
 running Windows 2000, Windows XP and Mac OS-X (= 10.2).

 I saw that EAP-MD5 is no recommended (and not supported by Windows XP
 since SP1).

 EAP-TLS is not a choice as there is no LDAP interaction from what I've
 read on this mailing-list and other places.

Depends on what you mean by LDAP interaction. You can still use LDAP to
*authorize* the user. EAP-TLS just does certificate authentication so there's
not much LDAP interaction involved (apart from probably verifying the supplied
user certificate through LDAP, though that's not currently supported)


 The best choice seems to be EAP-TTLS as it is supported by freeradius
 and the selected clients. But I have some questions about the protocol
 to use inside the TLS tunnel.

 It seems that EAP-MD5 is not possible as passwords are stored in {CRYPT}
 format in the LDAP.
 I tried the EAP-MD5+LDAP feature and it works indeed with clear
 passwords. I was wondering if it would be possible to patch the eap-md5
 module to crypt the password sent by the supplicant before comparing it
 with the one from the LDAP ?

Please read the CHAP/EAP-MD5 specification. That's not how the protocol works.
You *need* clear text passwords for EAP-MD5 to work.


 I read some things about using PAP inside EAP-TTLS. It seems that
 {CRYPT} passwords work with PAP as I see there is an encryption_scheme
 parameter for PAP.

You can also use the ldap module for authentication instead of the pap module
(authentication through an ldap bind request).


 But will PAP be supported by supplicants running on Windows and Mac OS-X ?

If you are going to use EAP-TTLS you must use the SecureW2 client since windows
do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no
idea about MacOS X though since it's a unix flavor maybe Xsupplicant can work on
it (Xsupplicant supports EAP-TTLS).



 Thank you for your help,

 Christophe.


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

2004-07-29 Thread Artur Hecker

hi

But will PAP be supported by supplicants running on Windows and Mac OS-X ?

If you are going to use EAP-TTLS you must use the SecureW2 client since windows
do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no
idea about MacOS X though since it's a unix flavor maybe Xsupplicant can work on
it (Xsupplicant supports EAP-TTLS).
apparently, xsupplicant works, but with some modifications. however, 
since Mac OS X (10.3++) there is an integrated client which is more 
convenient and does support TTLS.

http://images.apple.com/macosx/pdf/Security_in_Mac_OS_X.pdf, page 8
ciao
artur
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)

5 matches

Site Navigation

Mail list logo

Footer information