Thread: [Aironet] EAP/802.1x Questions
Status: Inactive
Brought to you by:
breed
From: Matt P. <ma...@pe...> - 2001-05-19 15:20:21
|
I'm trying to grasp the whole EAP & 802.1x concepts (it's difficult to make sense of current marketing fluff and limited IEEE docs I can get ahold of), I'd appreciate any real world experience on the subject. While I think 802.1x is as great idea (especially with M$ Windows XP built-in support, to be released in October), I'm concerned most other OS's and PC Card Drivers/Firmware won't adopt the standard any time soon (especially like the $89 802.11b PC Card's). It appears the idea of passing a username & password to an AP (which relays it to an RADIUS server, by acting as a RADIUS client) is in the standard documentation; is the returned dynamic WEP key vendor specific? (I'm hope this isn't the case, I'd hate to see the mess we have right now with proprietary bridges and repeaters continue). Furthermore, is the dynamic WEP key exchange required? Has anyone tried using using the Cisco 350 AP's enabled with 802.1x talking to an open source RAIDUS server (like FreeRADIUS)? My ideal AP would listen to both standard and EAP 802.1x enabled clients. The firmware would prioritize 802.1x first, standard "old school" clients would hit my own "captive portal" (transparent web redirection to a login site). Is this how the "Accept Authentication Types" config works for the Cisco 350's? It appears that only Cisco and Entrasys have current released firmware to support 802.1x, does any other vendor? Thanks in advance for you schooling. -- Matt Peterson another.geek.without.a.life ma...@pe... http://matt.peterson.org/ ------------------------------------------------- |
From: Simon B. <si...@ba...> - 2001-05-21 00:12:26
|
Where do you get 802.11b cards for $89? Simon ----- Original Message ----- From: "Matt Peterson" <ma...@pe...> To: <ai...@en...> Cc: <wir...@li...> Sent: Saturday, May 19, 2001 8:20 AM Subject: [BAWUG] EAP/802.1x Questions > I'm trying to grasp the whole EAP & 802.1x concepts (it's difficult to > make sense of current marketing fluff and limited IEEE docs I can get > ahold of), I'd appreciate any real world experience on the subject. > > While I think 802.1x is as great idea (especially with M$ Windows XP > built-in support, to be released in October), I'm concerned most other > OS's and PC Card Drivers/Firmware won't adopt the standard any time soon > (especially like the $89 802.11b PC Card's). > > It appears the idea of passing a username & password to an AP (which > relays it to an RADIUS server, by acting as a RADIUS client) is in the > standard documentation; is the returned dynamic WEP key vendor specific? > (I'm hope this isn't the case, I'd hate to see the mess we have right now > with proprietary bridges and repeaters continue). Furthermore, is the > dynamic WEP key exchange required? > > Has anyone tried using using the Cisco 350 AP's enabled with 802.1x > talking to an open source RAIDUS server (like FreeRADIUS)? > > My ideal AP would listen to both standard and EAP 802.1x enabled clients. > The firmware would prioritize 802.1x first, standard "old school" clients > would hit my own "captive portal" (transparent web redirection to a login > site). Is this how the "Accept Authentication Types" config works for the > Cisco 350's? > > It appears that only Cisco and Entrasys have current released firmware to > support 802.1x, does any other vendor? > > Thanks in advance for you schooling. > > -- > Matt Peterson another.geek.without.a.life > ma...@pe... http://matt.peterson.org/ > ------------------------------------------------- > > -- > general wireless list, a bawug thing <http://www.bawug.org/> > [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless |
From: Phil C. <Phil.Cox@SystemExperts.com> - 2001-05-21 22:04:33
|
> I'm trying to grasp the whole EAP & 802.1x concepts (it's difficult to > make sense of current marketing fluff and limited IEEE docs I can get > ahold of), I'd appreciate any real world experience on the subject. Matt, [Caveat Emptor: What I know, I know from gleaning different docs, and using what I can. I am not associated with *any* vendor, or on any IEEE body. I am just an user trying to understand it all] This whole area seems to be a mass of conflicting technologies and standards (I get frustrated just thinking about it). The thing you should be looking at is the 802.11e working group stuff on Enhanced Security Network (ESN). This is the use of 802.1X in the wireless arena. The reason this is important is that ESN specifies Kerberos *not* RADIUS as the authentication mechanism. It will be interesting to see if anyone (i.e., Cisco) keep RADIUS support if/when the ESN gets blessed. Looks like Symbol is one of the first to support this (saw it advertised at Interop). > It appears the idea of passing a username & password to an AP (which > relays it to an RADIUS server, by acting as a RADIUS client) is in the > standard documentation; is the returned dynamic WEP key vendor specific? No. it is my understanding that the WEP key does conform to the general WEP standard, so interoperability *should* be possible. > (I'm hope this isn't the case, I'd hate to see the mess we have right now > with proprietary bridges and repeaters continue). Furthermore, is the > dynamic WEP key exchange required? Not, it is not required to be returned. > Has anyone tried using the Cisco 350 AP's enabled with 802.1x > talking to an open source RADIUS server (like FreeRADIUS)? No. I believe that there is a certain information that needs to be supported, and I have not found that documented anywhere. To my knowledge, only Cisco has a RADIUS server that will do it. I had heard that the Microsoft RADIUS server in Win2K/Whistler would do it, bit I have not tried it. Also, one of the Lucent AP's (AS-2000 I believe) supports it, so I would assume they sell a RADIUS server as well. I *would* expect that RADIUS servers and AP would interoperate (i.e., Cisco ACS with a Lucent AS-2000). > My ideal AP would listen to both standard and EAP 802.1x enabled clients. > The firmware would prioritize 802.1x first, standard "old school" clients > would hit my own "captive portal" (transparent web redirection to a login > site). Is this how the "Accept Authentication Types" config works for the > Cisco 350's? Not sure. > It appears that only Cisco and Entrasys have current released firmware to > support 802.1x, does any other vendor? Client or AP? Lucent has the AP, but I don't know about the client. I have only tested the EAP/LEAP stuff with my Cisco. The thing that I get confused about is that fact that documentation indicated that the EAP support should be provided by the client OS, and basically be card independent. The firmware issues seem to be more related to the "card" based authentication of EAP, in Cisco's case it being called Lightweight & Efficient Application Protocol (LEAP). LEAP uses MS-CHAP as the authentication protocol ;) I am still fuzzy on all this as well. if you run across any good docs, please let me know. Phil |