Freeradius and Linksys WRT54GS

classic Classic list List threaded Threaded
10 messages Options
| Threaded
Open this post in threaded view
|

Freeradius and Linksys WRT54GS

Thierry-3
Hi,

I got a freeradius configured to handle LEAP authentication.

it works with a Cisco AP Cisco Airnet 1100:
client 10.0.0.1 {
       secret = secret
       shortname = apcisco
       nastype = cisco
}

But it fail for linksys WRT54GS:

client 192.168.1.1
{
       secret = secret
       shortname = linksys
       nastype = cisco
}

I tried different nastype :
With other or nastype commented, nothing happen after identity frames.
With cisco nastype, LEAP didn't finish, AP does not send the last
frame to respond to supplicant challenge.

Is there a specific nastype for Linksys ot this AP is bugged ?
I tried with another RADIUS (SBR/Windows) with the same comportment.

Do you know other AP than cisco ones that permit 802.1X successfully
with freeradius ?

Cordialement,

--
 Thierry                          mailto:[hidden email]


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Freeradius and Linksys WRT54GS

Guy Davies
Are you sure that the Linksys AP supports LEAP.  LEAP is a somewhat
proprietary Cisco method that places unusual requirements on the AP
(unlike other EAP methods that are simply converted from EAP in EAPOL to
EAP in RADIUS by the AP).  I know that Linksys is now owned by Cisco but
I am not sure that they've implemented LEAP capabilities.  AFAIK, Apple
is the only other vendor to support LEAP.

LEAP isn't a particularly strong EAP method anyway.  I'd recommend (and
so would Cisco, now) using a different method (PEAP/MS-CHAPv2 if you
must, EAP/TTLS if you can).  So long as the Linksys can do EAP
passthrough, you should be OK with these.

Rgds,

Guy

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On
> Behalf Of Thierry
> Sent: 01 September 2005 10:25
> To: [hidden email]
> Subject: Freeradius and Linksys WRT54GS
>
>
> Hi,
>
> I got a freeradius configured to handle LEAP authentication.
>
> it works with a Cisco AP Cisco Airnet 1100:
> client 10.0.0.1 {
>        secret = secret
>        shortname = apcisco
>        nastype = cisco
> }
>
> But it fail for linksys WRT54GS:
>
> client 192.168.1.1
> {
>        secret = secret
>        shortname = linksys
>        nastype = cisco
> }
>
> I tried different nastype :
> With other or nastype commented, nothing happen after
> identity frames. With cisco nastype, LEAP didn't finish, AP
> does not send the last frame to respond to supplicant challenge.
>
> Is there a specific nastype for Linksys ot this AP is bugged
> ? I tried with another RADIUS (SBR/Windows) with the same comportment.
>
> Do you know other AP than cisco ones that permit 802.1X
> successfully with freeradius ?
>
> Cordialement,
>
> --
>  Thierry                          mailto:[hidden email]
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius and Linksys WRT54GS

Artur Hecker
In reply to this post by Thierry-3
hi


i don't want to tell nonsense, but as far as I know, LEAP is not a pure
EAP type. the AP has thus to support it. and the WRT54 does not.

do not blame the WRT, blame LEAP and its design. and it has nothing to
do with 802.1X - standard 802.1X protocols should work with WRT54.


ciao
artur


Thierry wrote:

> Hi,
>
> I got a freeradius configured to handle LEAP authentication.
>
> it works with a Cisco AP Cisco Airnet 1100:
> client 10.0.0.1 {
>        secret = secret
>        shortname = apcisco
>        nastype = cisco
> }
>
> But it fail for linksys WRT54GS:
>
> client 192.168.1.1
> {
>        secret = secret
>        shortname = linksys
>        nastype = cisco
> }
>
> I tried different nastype :
> With other or nastype commented, nothing happen after identity frames.
> With cisco nastype, LEAP didn't finish, AP does not send the last
> frame to respond to supplicant challenge.
>
> Is there a specific nastype for Linksys ot this AP is bugged ?
> I tried with another RADIUS (SBR/Windows) with the same comportment.
>
> Do you know other AP than cisco ones that permit 802.1X successfully
> with freeradius ?
>
> Cordialement,
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re[2]: Freeradius and Linksys WRT54GS

Thierry-3
In reply to this post by Guy Davies

Thursday, September 1, 2005, 11:59:28 AM, vous ecriviez:

GD> Are you sure that the Linksys AP supports LEAP.  LEAP is a somewhat
GD> proprietary Cisco method that places unusual requirements on the AP
GD> (unlike other EAP methods that are simply converted from EAP in EAPOL to
GD> EAP in RADIUS by the AP).

Ok, I was not aware about these specificities about LEAP.
Thanks a lot for the answer.


--
 Thierry                          mailto:[hidden email]


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Authentication succeeds even with incorrect shared secret.

Sayantan Bhowmick
In reply to this post by Artur Hecker
Hi,
   I am using FreeRADIUS version 1.0.2 and I am trying to authenticate
users using CHAP authentication. Everything works and authentication
goes through except that users are authenticated successfully( provided
userid and password id correct) irrespective of what is entered for the
"shared secret" in the client. Is this a defect? Should'nt the RADIUS
server check whether the client is using the correct "shared secret"?

Thanks and Regards,
-Sayantan.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication succeeds even with incorrect shared secret.

Stefan.Neis@t-online.de
        Hi,

Sayantan Bhowmick schrieb:
> I am trying to authenticate users using CHAP authentication.
(snipp)
> users are authenticated successfully( provided userid and
> password id correct) irrespective of what is entered for the
> "shared secret" in the client. Is this a defect?

IIRC, yes, that means the client is broken.

> Should'nt the RADIUS server check whether the client is
>  using the correct "shared secret"?

No, he can't, in general. In authentication, the shared secret
is used to protect secret data (e.g. cleartext passwords when
doing PAP or MPPE-Keys when doing MS-CHAP).  Unless
you're using one of the attributes encrypted by means of the
shared secret, the server never knows whether or not the
client is using the same shared secret.
IIRC, the server, however, is kind of "signing" his reply with
the secret key, so if that's not the same one that the client
has, the client should reject the server's reply as coming from
a non-trustworthy server and not give you access.

          HTH,
                  Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication succeeds even with incorrect shared secret.

Alan DeKok
In reply to this post by Sayantan Bhowmick
"Sayantan Bhowmick" <[hidden email]> wrote:
>    I am using FreeRADIUS version 1.0.2 and I am trying to authenticate
> users using CHAP authentication. Everything works and authentication
> goes through except that users are authenticated successfully( provided
> userid and password id correct) irrespective of what is entered for the
> "shared secret" in the client. Is this a defect? Should'nt the RADIUS
> server check whether the client is using the correct "shared secret"?

  For CHAP, it can't.

  The *client* will see that the response packet isn't signed
properly, and will reject it.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication succeeds even with incorrect shared secret.

Michael Lecuyer
In reply to this post by Sayantan Bhowmick


Sayantan Bhowmick wrote:

> Hi,
>    I am using FreeRADIUS version 1.0.2 and I am trying to authenticate
> users using CHAP authentication. Everything works and authentication
> goes through except that users are authenticated successfully( provided
> userid and password id correct) irrespective of what is entered for the
> "shared secret" in the client. Is this a defect? Should'nt the RADIUS
> server check whether the client is using the correct "shared secret"?
>
> Thanks and Regards,
> -Sayantan.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication succeeds even with incorrect shared secret.

Sayantan Bhowmick
In reply to this post by Stefan.Neis@t-online.de
Thank You Alan and Stefan for your replies.
 So if I understand correctly in case of authentication methods like
CHAP the client does NOT SEND ANYTHING  SIGNED with the "shared secret"
and as such the RADIUS server CANNOT verify whether the client has the
proper shared secret. In this case it is the clients job to verify the
server's reply. Am I correct?

Thanks and Regards,
-Sayantan.

        >>> On Thu, Sep 1, 2005 at  7:49 pm, in message
<[hidden email]>,
[hidden email]
wrote:

> Hi,
>
> Sayantan Bhowmick schrieb:
>> I am trying to authenticate users using CHAP authentication.
> (snipp)
>> users are authenticated successfully( provided userid and
>> password id correct) irrespective of what is entered for the
>> "shared secret" in the client. Is this a defect?
>
> IIRC, yes, that means the client is broken.
>
>> Should'nt the RADIUS server check whether the client is
>>  using the correct "shared secret"?
>
> No, he can't, in general. In authentication, the shared secret
> is used to protect secret data (e.g. cleartext passwords when
> doing PAP or MPPE- Keys when doing MS- CHAP).  Unless
> you're using one of the attributes encrypted by means of the
> shared secret, the server never knows whether or not the
> client is using the same shared secret.
> IIRC, the server, however, is kind of "signing" his reply with
> the secret key, so if that's not the same one that the client
> has, the client should reject the server's reply as coming from
> a non- trustworthy server and not give you access.
>
>           HTH,
>                   Stefan
> -  
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication succeeds even with incorrect shared secret.

Alan DeKok
"Sayantan Bhowmick" <[hidden email]> wrote:
>  So if I understand correctly in case of authentication methods like
> CHAP the client does NOT SEND ANYTHING  SIGNED with the "shared secret"
> and as such the RADIUS server CANNOT verify whether the client has the
> proper shared secret. In this case it is the clients job to verify the
> server's reply. Am I correct?

  Yes.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html