Re: [WIRELESS-LAN] 802.1x authentication using LDAP

Mon, 10 Jul 2006 12:25:48 -0700 

Matt,
Let me clarify the certificate requirements for WPA/WPA2 Enterprise mode (802.1x) authentication. 


The following EAP-Types require a cert on the Authentication Server 
(RADIUS server): EAP-TLS, EAP-TTLS, EAP-PEAPv0 (Microsoft) and 
EAP-PEAPv1(Cisco).  This is required to authenticate the Auth Server to 
the client.



Only EAP-TLS requires client certs (PKI).  EAP-TLS doesn't use 
usernames/passwords as the certs authenticate the client & Auth Server 
to each other.  All of the other above EAP-Types use usernames/passwords 
(or hashes) to authenticate the client to the Auth Server.



I put together a table of the various EAP-Types with their traits for a 
presentation I did at the ResNet Symposium.  There is a PDF of the 
presentation available from the ResNet Symposium site if you are 
interested in it.


>>-> Stan Brooks - CWNA/CWSP
     Emory University
     Network Communications Division
     404.727.0226
     [EMAIL PROTECTED]
AIM: WLANstan  Yahoo!: WLANstan  MSN: [EMAIL PROTECTED]


-------- Original Message --------
From: Matt Ashfield
Date: 7/10/2006 1:53 PM


Hi All,

Thanks for all the responses. It's great to be part of a useful mailing list
like this!


Just to clarify a few things: 
our passwords are stored in cleartext on the ldap server. 
We are using SunOne for LDAP and FreeRadius for radius. 
We have no desire to have individual client certificates and would prefer to

do username/password against the LDAP server.


From what I can tell, the only way to deal with plaintext passwords stored

in LDAP and still have username/password authentication is to go with
EAP-TTLS and use the secure2 client.

But I just saw the post by Tom Zeller and he's saying the hashed password
does NOT go over the network with MS-CHAP. So I'm starting to get a bit
confused.

Any thoughts? Does anyone here have this same situation and have it working?

Thanks

Matt Ashfield

[EMAIL PROTECTED] 



-----Original Message-----

From: Michael Griego [mailto:[EMAIL PROTECTED] 
Sent: July 7, 2006 4:24 PM

To: [EMAIL PROTECTED]
Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP

Hey, Matt,


This setup is actually almost identical to what we're doing here at  
UT Dallas.



As is commonly seen on the FreeRADIUS mailing lists, I think you may  
be confusing how to use PEAP with LDAP a little.  In order to use  
PEAP with LDAP, you don't use LDAP "authentication" in FreeRADIUS.   
You have to store either a cleartext password or an NTLMv2 password  
hash in your LDAP directory for each of your users.  Be sure if you  
do this to set appropriate ACLs on the attribute containing the  
password/hash so that only the RADIUS connect profile can get to that  
attribute.  In any case, once you've done this, the LDAP module goes  
in your authorize section in FR so that it can pull the password or  
hash out and use it to perform the authentication itself using the  
mschap module.



Also, for PEAP, you only need a certificate for your RADIUS servers  
to authenticate the network to the users.  Your users don't need  
personal certificates as they would using EAP-TLS.  If you purchase a  
commercial certificate from one of the CAs included by default in  
your client OSes, then you don't have to install anything on the  
clients and just have to configure them for access.


These links might be useful for you:

UTD's 802.1x setup instructions for Windows XP:
http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.html


I actually gave an Educause Live presentation on UTD's 802.1x  
deployment.  Its archived here:

http://www.educause.edu/LIVE058

Hope that helps!

--Mike

On Jul 7, 2006, at 1:50 PM, Matt Ashfield wrote:


Hi All


I'm trying to configure 802.1x wireless authentication using  
credentials

stored in LDAP.

I am running FreeRadius and SunOne ldap server. The Radius server is

correctly doing authentication attempts to the LDAP server (I issue  
the

"radtest" command with a username/passwd from LDAP and I get an
authenticate-accept back).


The next step is setting up an XP client to talk to an Access  
Point, which
is configured to authenticate via the Raidus server, via LDAP. So  
far, in my
minimal testing, I've seen the client try to connect using it's  
Windows

credentials rather than giving the user a chance to enter a
username/password.


I'm sure others out there are doing this. I'm just wondering what  
you're
using? EAP-TLS, PEAP, etc..?  I guess I need to get my acronyms  
straight

first and go from there.


From what I can tell PEAP will require my users to install a  
certificate.

We'd much rather prefer them to have to enter their LDAP usernames and
passwords.

Any advice is appreciated.

Thanks


Matt Ashfield
[EMAIL PROTECTED]

**********

Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.






















					Reply via email to