You are here: Foswiki>Main Web>RadiusWPA (26 Dec 2010, AvishaiIshShalom)EditAttach
mechanics This page is work in progress.

FreeRadius? and WPA

WPA with Radius (AKA enterprise WPA) is basically EAP/PEAP with (or without) a tunneled second phase. The AP should just pass the EAP data to Radius unhindered and receive a go-ahead if the client was authenticated. The main problem here is configuring Radius so it will correctly authenticate and support a majority of clients.

Authentication types used with EAP-*

  • TLS - certificate verification auth. required PKI
  • md5 - md5 hash auth, can be used with shadow unix passwords
  • gtc - generic token card, the token can be just about anything (OTP, PSK, a password) - it's really just a question of what you use to verify the token. Often used with NDS/LDAP or OTP generators.
  • mschap - ntlm authentication hash. requires ntlm_auth or plain text password storage to work.
  • pap - plain text password

EAP types

  • EAP-TLS - no tunnel, use the certificate verification to authenticate as mentioned above
  • EAP-TTLS - use TLS to encrypt internal tunnel doing a second phase EAP authentication with a password/hash.
  • PEAP - Another TLS tunneled EAP. This method is widely supported by Microsoft and Cisco
  • LEAP - an early Cisco version, not widely supported.
PEAP + EAP-mschap2 is probably the most widely supported configuration.

Client quirks

iPhone

Android

Installing certificates on Android is an annoyance. The CA can be installed by putting it on a webserver (don't forget the Content-Type: application/x-x509-ca-cert header) and using the browser to get it. The client certificate must be copied to SD card then installed using: setting right location and security right Install encrypted certificates from SD card. An alternative is to serve the certificate in PKCS-12 format with Content-Type: application/x-pkcs12 header - be sure you secure the URI used.

Gnome Network Manager

There is a bug with the Network Manager dialog used to configure EAP-TLS if using PEM formatted certificates. However, it does work with PKCS-12 certificates so just convert the certificate with OpenSSL and be on your way.

Windows

Advanced configurations

Vlans/tagging

IP assignments

LDAP

-- AvishaiIshShalom - 13 Dec 2010
Edit | Attach | Print version | History: r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r2 - 26 Dec 2010 - 17:19:59 - AvishaiIshShalom
 

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback