Thanks guys for your post. First off, I have tried using the WinXP
supplicant and I have no problems authenticating with the Linksys wifi
cards. I just wish the Linksys utility was like Cisco where I can tell it do
provide either/or username/cert. The Cisco cards have no problem with this
as where using the Linksys with its utility does not provide me with what I
want. No big deal.
Using the Linksys client utitliy, a username, password, and certificate
must be provided (the certificate is a combo box so I can't even leave it
blank). I have always preferred to use the utility that came with wifi cards
for configuration. They typically provide more information and are more user
friendly than the Windows supplicant.
This problem does pertain to the Linksys software more than FreeRadius.
I was just hoping there was a way in the FreeRadius config files to help
solve the problem
Travis
- Original Message -
From: "Artur Hecker" <[EMAIL PROTECTED]>
To: "devel" <[EMAIL PROTECTED]>; "FreeRadius users mailing list"
Sent: Tuesday, October 10, 2006 12:42 PM
Subject: Re: disable FreeRadius checking of client certs
Hi Travis
Excuse me for top-posting, but just as Alan I'm a bit surprised by your
post.
If your authentication system is based on certificates, you need
certificates and you really should not say anything like "certificates
bother me" since that is the only expression of your trust, so without
that verification no authentication will ever be reasonable or complete.
If it is not, you do not have certificates. Allowing both for the same
client (same machine) is discouraged. Personally I am not familar with a
supplicant which tries one and then another for the same username.
Thus, per user if you are using EAP-PEAP-MSCHAPv2 (passwords), then you
are not using EAP-TLS. And vice versa.
The good news is: the authentication method has strictly nothing to do
with the WiFi card; it is completely virtualized, in software. EAP is
only a transporter protocol, it does not say how to authenticate, it only
says how to transport data. Thus, if EAP is supported by the card, then
*every* EAP method is supported. That's magic about 802.1X and that's why
it's supported in the operating system rather than being supported by a
network card.
Now if you are saying that you use a special Linksys 802.1X client, then
I would first suggest that you use the standard WinXP client. Sorry, but
the Linksys client is fairly unknown.
Practically, it's difficult to guess from what you provided, but I think
that you do use the WinXP supplicant (i.e. 802.1X client - I do not know
of any linksys supplicant) and that you probably want to use
EAP-PEAP-MSCHAPv2. That involves one server certificate (obviously one
common trust anker - a self signed CA certificate) and some
username/passwords on clients. What probably happened is that in the two
cases where the Linksys card is used, you did not correctly configure
EAP-PEAP (called "Protected EAP" in WinXP or similar), but you let it be
"Smartcard or Certificate". Thus, the card tries to do TLS with some
available pub/priv key combination, but Freeradius rejects it.
Reconfigure the WinXP supplicant to do EAP-PEAP and it will ask you for
passwords. Do not forget to deploy the server certificate on user
machines...
Well, I have not issued certs to clients. Some of my clients have the
option to log in with a username "OR" a cert. However, there are a few
random Linksys cards (I guess I should have mentioned this was for
Wifi/WPA) that I "MUST" provide a username and a cert.
Strictly speaking, every EAP session will take a Username and the AAA
server will derive from it the authentication method to use. When used in
EAP-TLS, Windows XP typically fills it out with the CN from the
certificate (if available) but that is of course insufficient and it
would be more correct to give an identifier and then to start a TLS
authentication session for that id. (How exactly the username compares to
the certified information is an open question, since the username can be
altered by different means).
If there are no certs on the client machine, Linksys fills the cert in
with "Trust Any", so I assume it may be attempting with a blank? cert or
another cert on the machine, such as VeriSign or the like.So this client
is attempting to authenticate, I believe, with other certs on its
machine because the radius log looks like below:
hmmm??? you can't just use any certificate for authentication. What you
need is a pair: certificate/private key. Nobody except Verisign has their
private key.
The only option for your Linksys 802.1X client would be to spontaneously
create a CA and to issue one user certificate for EAP authentication
signe