Initial Association for 802.1X Authentication
I need to authenticate on a network using 802.1X. I will be using dynamic WEP. First, I need to associate with the network. I have two cards I can use: one will allow association with encrypted APs without setting a key and the other will not. I would much rather use the latter card: it is integrated into my notebook. Could setting an aribtrary key (a dummy key) to force association cause problems with authentication? Thanks for any help anyone can offer.
|
Typically, 802.1x with dynamic keys implies EAP-TLS. In any case, your laptop will need to have a supplicant, properly configured, in order to authenticate. What authentication method is in use? What client cards do you have and which supplicant is running on the laptop?
|
Quote:
The ipw2100 driver will not associate with an encrypted AP without a key set. I asked the question I did because I am trying to assess whether this limitation is going to cause problems for me. The supplicant I am using requires you to use iwconfig to associate with the network before authenticating. And after authenticating I get my WEP key. Hence a sort of chicken-and-egg problem. My thought process was that perhaps WEP doesn't encrypt low-level traffic like that used in 802.1x. Even with an arbitrary key set, the card does pick up on the AP's BSSID and does manage to do some communication through the supplicant. It is entirely possible that I am getting the cart before the horse and trying this before the ipw2100 driver's WEP code has stablized. But that is why I asked the question I did. I am trying to find out why this doesn't work. Thanks for your response and I hope I didn't go on too long here. |
Not too long at all. I appreciate the info. Your situation is quite different from my experience.
I'm using EAP-TLS with XSupplicant on Linux and the Meetinghouse AEGIS client for Windows (I was using the AEGIS supplicant with MD5 on another laptop, just never re-licensed it on the new one). My AP does not support dynamic WEP keys nor do I have any Intel wireless cards, so I'm unable to try to re-create any configuration that might help you. I will be lurking to see what kind of replies you get. You may also want to try the DSLReports wireless networking forum. There are some pretty knowledgeable 802.1x users there. http://www.dslreports.com/forum/wlan Good luck. |
Dynamic WEP Keys :: any resolution to this thread
Anyone have a soultion to this thread. I'm experiencing the same problems and have the same setup (802.1x w/AEGIS supplicanr). Any advice we be greatly appreciated.
|
I guess I don't know what you mean by same setup--802.1x has different EAP types, not all of which are supported by open-source software (yet). However, if you've have LEAP on your AP and a Xsupplicant-supported wireless card (ipw2100 supported as of 0.44, I think), you're in luck. I haven't tested it yet (I'm on summer break), but Xsupplicant CVS is supposed to support LEAP keying. Check out the latest CVS at open1x.sourceforge.net and build it. This is the xsupplicant.conf file I have--but keep in mind I've yet to test it:
Code:
network_list = osuweb As for the initial encryption key, a dummy key is indeed used. Wireless drivers, or at least the ipw2100, do not encrypt EAPoL frames. You will see something like "Passing unencrypted EAPOL frame" in the system logs when you authenticate (if you have ipw2100). |
I know this isn't completely on-topic here but which WNICs work with LEAP? The Net Admin at my University is claiming that only the Cisco and Apple cards will work but I'd rather buy a Linksys WPC55AG, according to Linksys it works with EAP, but I'm looking for someone who's actually seen this in action. Thanks-in-advance.
Kleedrac |
Any card that supports Xsupplicant should work. You will need Xsupplicant 1.0.1 for LEAP support. See README.wireless_cards in the Xsupplicant distribution for information on supported cards. I haven't gone back to school yet so I haven't been able to test my ipw2100 adapter with LEAP.
Andrew |
Thanks Andrew!! You da man!
Kleed |
ipw2100, xsupplicant and leap
Has hanyone gotten this to work? I have a d600 with an ipw2100 under FC3. I can associate with my un-athenticated network at home, no problem. At work, it's a cisco AP running LEAP. I have yet to get anything working.
If you have xsupplicant using LEAP and an IPW2100 I would love to hear from you. |
I would like to see a config-example for xsupplicant. I installed xsupplicant using apt-get install, and I can't find a file with a default config..
|
## This is a sample configuration file for xsupplicant that explains
## All currently configurable functionality. In general, this file is a ## series of tag-value pairs. In addition to a tag and a value, there is ## also a "network id" to group different tag-value pairs together. ## the file is parsed linearly, so redundant tags with the same network ## id will take the value of the last line. If no network name is provided ## on the command line (using the -n flag) then the network id "default" ## is parsed. # the id tag indicates what value to return for an EAP Identity request # in the case of EAP-SIM, this is the IMSI. default:id = xsupplicant-user@somedomain.com #comment here ## spaces don't matter, this will work too # default : id = xsupplicant-uesr@somedomain.com ## the path to the certificate file to be used for the above user ## this option is only useful for TLS authentication ## this should be the path of your user-certificate default : cert = /etc/1x/certs/xsupplicant-user.cer ## the path to the private key of the user for the user certificate ## this option is only useful for TLS authentication default : key = /home/xsupplicant-user/myprivatekey.pem ## the path to file containing all valid CAroots ## This option is needed for all TLS-based authentication types: ## TLS, TTLS, PEAP, etc... default :root = /etc/1x/certs/CAroot.pem ## I have no idea if this does anything default :auth = none #default:auth = EAP ## Force this connection to wired or wireless. ## Needed in situations where wired drivers answer ioctls for wireless cards. ## Specifically, some intel cards with current drivers. ## YOU SHOULDN'T USE THIS WITH THE DEFAULT PROFILE! IT WILL PREVENT ## ANY WIRELESS CARDS FROM WORKING! USE THE -w SWITCH INSTEAD! #default:type = wireless #default:type = wired ## preferred auth type ## Valid types are: TLS, MD5, TTLS, MSCHAPV2, PEAP, and SIM* ## * - SIM requires --enable-eap-sim at configure time. default : pref = tls ## password for the connection. This is optional, if you want the supplicant ## to authenticate without prompting for a password. #default : password = <password> ## Phase 2 auth method for TTLS. (Currently, PAP, CHAP, MS-CHAP, or MS-CHAPv2) ## For PEAP, there is only MS-CHAPv2, so this does nothing. default : phase2auth = PAP ## Phase 2 username (for using anonymous in the phase 1 piece). ## If this isn't defined, it defaults to the same as the phase 1 piece. #default : phase2id = username@domain.org ## chunk size default : chunk_size = 1398 ## random file to use default : random_file = /dev/random ## Shell command to run after the FIRST successful authentication ## command MUST begin with a "/" (absolute path) default : first_auth = "/sbin/dhclient eth0" ## shell command to run after ALL successful authentications ## the current semantics are that if first_auth is also defined, ## only it is run the first time and after_auth is run ever other time ## if first_auth is not defined, after_auth is run after ALL authentications ## including the first. ## command MUST begin with a "/" (absolute path) default : after_auth = "/bin/echo I authenticated" |
Is wpasupplicant the same as xsupplicant?..
|
No.
That's here: http://hostap.epitest.fi/wpa_supplicant The wpa_supplicant sample config is here: http://hostap.epitest.fi/cgi-bin/vie...ype=text/plain |
Thanks, once again :)
|
All times are GMT -5. The time now is 01:52 AM. |