LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking > Linux - Wireless Networking
User Name
Password
Linux - Wireless Networking This forum is for the discussion of wireless networking in Linux.

Notices

Reply
 
Search this Thread
Old 04-16-2004, 05:44 PM   #1
andrewb758
Member
 
Registered: Jan 2003
Location: Columbus, OH USA
Distribution: Debian unstable
Posts: 63

Rep: Reputation: 15
Initial Association for 802.1X Authentication


I need to authenticate on a network using 802.1X. I will be using dynamic WEP. First, I need to associate with the network. I have two cards I can use: one will allow association with encrypted APs without setting a key and the other will not. I would much rather use the latter card: it is integrated into my notebook. Could setting an aribtrary key (a dummy key) to force association cause problems with authentication? Thanks for any help anyone can offer.
 
Old 04-17-2004, 01:33 AM   #2
2Gnu
Senior Member
 
Registered: Jan 2002
Location: Southern California
Distribution: Slackware 14.0
Posts: 1,874

Rep: Reputation: 49
Typically, 802.1x with dynamic keys implies EAP-TLS. In any case, your laptop will need to have a supplicant, properly configured, in order to authenticate. What authentication method is in use? What client cards do you have and which supplicant is running on the laptop?
 
Old 04-17-2004, 10:11 AM   #3
andrewb758
Member
 
Registered: Jan 2003
Location: Columbus, OH USA
Distribution: Debian unstable
Posts: 63

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by 2Gnu
Typically, 802.1x with dynamic keys implies EAP-TLS. In any case, your laptop will need to have a supplicant, properly configured, in order to authenticate. What authentication method is in use? What client cards do you have and which supplicant is running on the laptop?
In that case, I guess I don't have a typical situation. The network I am using supports two EAP types: LEAP and PEAP-GTC. That being the case, I am forced to use a commecrial supplicant (Meetinghouse AEGIS Client) as opposed to the open-source Xsupplicant. There are two cards I have available: a D-Link DWL-650 rev. P, which would use HostAP, and an Intel PRO/Wireless 2100 (Centrino), which uses the new ipw2100 driver.

The ipw2100 driver will not associate with an encrypted AP without a key set. I asked the question I did because I am trying to assess whether this limitation is going to cause problems for me. The supplicant I am using requires you to use iwconfig to associate with the network before authenticating. And after authenticating I get my WEP key. Hence a sort of chicken-and-egg problem.

My thought process was that perhaps WEP doesn't encrypt low-level traffic like that used in 802.1x. Even with an arbitrary key set, the card does pick up on the AP's BSSID and does manage to do some communication through the supplicant. It is entirely possible that I am getting the cart before the horse and trying this before the ipw2100 driver's WEP code has stablized. But that is why I asked the question I did. I am trying to find out why this doesn't work.

Thanks for your response and I hope I didn't go on too long here.
 
Old 04-17-2004, 09:44 PM   #4
2Gnu
Senior Member
 
Registered: Jan 2002
Location: Southern California
Distribution: Slackware 14.0
Posts: 1,874

Rep: Reputation: 49
Not too long at all. I appreciate the info. Your situation is quite different from my experience.

I'm using EAP-TLS with XSupplicant on Linux and the Meetinghouse AEGIS client for Windows (I was using the AEGIS supplicant with MD5 on another laptop, just never re-licensed it on the new one). My AP does not support dynamic WEP keys nor do I have any Intel wireless cards, so I'm unable to try to re-create any configuration that might help you.

I will be lurking to see what kind of replies you get. You may also want to try the DSLReports wireless networking forum. There are some pretty knowledgeable 802.1x users there. http://www.dslreports.com/forum/wlan

Good luck.
 
Old 08-18-2004, 11:43 AM   #5
Techniq808
LQ Newbie
 
Registered: Aug 2004
Distribution: SuSE
Posts: 1

Rep: Reputation: 0
Dynamic WEP Keys :: any resolution to this thread

Anyone have a soultion to this thread. I'm experiencing the same problems and have the same setup (802.1x w/AEGIS supplicanr). Any advice we be greatly appreciated.
 
Old 08-18-2004, 08:38 PM   #6
andrewb758
Member
 
Registered: Jan 2003
Location: Columbus, OH USA
Distribution: Debian unstable
Posts: 63

Original Poster
Rep: Reputation: 15
I guess I don't know what you mean by same setup--802.1x has different EAP types, not all of which are supported by open-source software (yet). However, if you've have LEAP on your AP and a Xsupplicant-supported wireless card (ipw2100 supported as of 0.44, I think), you're in luck. I haven't tested it yet (I'm on summer break), but Xsupplicant CVS is supposed to support LEAP keying. Check out the latest CVS at open1x.sourceforge.net and build it. This is the xsupplicant.conf file I have--but keep in mind I've yet to test it:

Code:
network_list = osuweb
default_netname = default
first_auth_command = <BEGIN_COMMAND>dhcpcd -t 10 -N -h `cat /etc/hostname`<END_COMMAND>
logfile = /var/log/xsupplicant.log
allow_interfaces = eth1

osuweb
{ 
  type = wireless
  allow_types = all
  identity = <BEGIN_ID>yourid@yourdomain.net<END_ID>
  
  eap-leap {
      username = <BEGIN_UNAME>yourid<END_UNAME>
      password = <BEGIN_PASS>yourpassword<END_PASS>
  }
}
You will most likely need to edit that to suit your needs, especially if SuSE doesn't use dhcpcd as it's DHCP client daemon. I mentioned PEAP-GTC as another route I could take, but that is not yet supported in Xsupplicant. I believe that LEAP and PEAP-GTC are both common on Cisco equipment, so if you have one you might have the other.

As for the initial encryption key, a dummy key is indeed used. Wireless drivers, or at least the ipw2100, do not encrypt EAPoL frames. You will see something like "Passing unencrypted EAPOL frame" in the system logs when you authenticate (if you have ipw2100).
 
Old 08-27-2004, 10:25 AM   #7
Kleedrac
Member
 
Registered: Apr 2004
Location: Saskatoon SK. CA
Distribution: Ubuntu Dapper
Posts: 50

Rep: Reputation: 15
I know this isn't completely on-topic here but which WNICs work with LEAP? The Net Admin at my University is claiming that only the Cisco and Apple cards will work but I'd rather buy a Linksys WPC55AG, according to Linksys it works with EAP, but I'm looking for someone who's actually seen this in action. Thanks-in-advance.

Kleedrac
 
Old 08-27-2004, 10:47 AM   #8
andrewb758
Member
 
Registered: Jan 2003
Location: Columbus, OH USA
Distribution: Debian unstable
Posts: 63

Original Poster
Rep: Reputation: 15
Any card that supports Xsupplicant should work. You will need Xsupplicant 1.0.1 for LEAP support. See README.wireless_cards in the Xsupplicant distribution for information on supported cards. I haven't gone back to school yet so I haven't been able to test my ipw2100 adapter with LEAP.

Andrew
 
Old 08-27-2004, 08:07 PM   #9
Kleedrac
Member
 
Registered: Apr 2004
Location: Saskatoon SK. CA
Distribution: Ubuntu Dapper
Posts: 50

Rep: Reputation: 15
Thanks Andrew!! You da man!

Kleed
 
Old 01-31-2005, 05:35 PM   #10
richardg1952
LQ Newbie
 
Registered: May 2004
Location: Beaverton, OR
Distribution: Fedora Core 2
Posts: 7

Rep: Reputation: 0
ipw2100, xsupplicant and leap

Has hanyone gotten this to work? I have a d600 with an ipw2100 under FC3. I can associate with my un-athenticated network at home, no problem. At work, it's a cisco AP running LEAP. I have yet to get anything working.

If you have xsupplicant using LEAP and an IPW2100 I would love to hear from you.
 
Old 03-03-2005, 02:56 PM   #11
littlemidget
Member
 
Registered: Aug 2004
Location: Oslo, Norway.
Distribution: Debian Sarge
Posts: 171

Rep: Reputation: 30
I would like to see a config-example for xsupplicant. I installed xsupplicant using apt-get install, and I can't find a file with a default config..
 
Old 03-03-2005, 02:59 PM   #12
2Gnu
Senior Member
 
Registered: Jan 2002
Location: Southern California
Distribution: Slackware 14.0
Posts: 1,874

Rep: Reputation: 49
## This is a sample configuration file for xsupplicant that explains
## All currently configurable functionality. In general, this file is a
## series of tag-value pairs. In addition to a tag and a value, there is
## also a "network id" to group different tag-value pairs together.
## the file is parsed linearly, so redundant tags with the same network
## id will take the value of the last line. If no network name is provided
## on the command line (using the -n flag) then the network id "default"
## is parsed.

# the id tag indicates what value to return for an EAP Identity request
# in the case of EAP-SIM, this is the IMSI.
default:id = xsupplicant-user@somedomain.com #comment here

## spaces don't matter, this will work too
# default : id = xsupplicant-uesr@somedomain.com

## the path to the certificate file to be used for the above user
## this option is only useful for TLS authentication
## this should be the path of your user-certificate
default : cert = /etc/1x/certs/xsupplicant-user.cer

## the path to the private key of the user for the user certificate
## this option is only useful for TLS authentication
default : key = /home/xsupplicant-user/myprivatekey.pem

## the path to file containing all valid CAroots
## This option is needed for all TLS-based authentication types:
## TLS, TTLS, PEAP, etc...
default :root = /etc/1x/certs/CAroot.pem

## I have no idea if this does anything
default :auth = none
#default:auth = EAP

## Force this connection to wired or wireless.
## Needed in situations where wired drivers answer ioctls for wireless cards.
## Specifically, some intel cards with current drivers.
## YOU SHOULDN'T USE THIS WITH THE DEFAULT PROFILE! IT WILL PREVENT
## ANY WIRELESS CARDS FROM WORKING! USE THE -w SWITCH INSTEAD!
#default:type = wireless
#default:type = wired

## preferred auth type
## Valid types are: TLS, MD5, TTLS, MSCHAPV2, PEAP, and SIM*
## * - SIM requires --enable-eap-sim at configure time.
default : pref = tls

## password for the connection. This is optional, if you want the supplicant
## to authenticate without prompting for a password.
#default : password = <password>

## Phase 2 auth method for TTLS. (Currently, PAP, CHAP, MS-CHAP, or MS-CHAPv2)
## For PEAP, there is only MS-CHAPv2, so this does nothing.
default : phase2auth = PAP

## Phase 2 username (for using anonymous in the phase 1 piece).
## If this isn't defined, it defaults to the same as the phase 1 piece.
#default : phase2id = username@domain.org

## chunk size
default : chunk_size = 1398

## random file to use
default : random_file = /dev/random

## Shell command to run after the FIRST successful authentication
## command MUST begin with a "/" (absolute path)
default : first_auth = "/sbin/dhclient eth0"

## shell command to run after ALL successful authentications
## the current semantics are that if first_auth is also defined,
## only it is run the first time and after_auth is run ever other time
## if first_auth is not defined, after_auth is run after ALL authentications
## including the first.
## command MUST begin with a "/" (absolute path)
default : after_auth = "/bin/echo I authenticated"
 
Old 03-03-2005, 03:07 PM   #13
littlemidget
Member
 
Registered: Aug 2004
Location: Oslo, Norway.
Distribution: Debian Sarge
Posts: 171

Rep: Reputation: 30
Is wpasupplicant the same as xsupplicant?..
 
Old 03-03-2005, 04:32 PM   #14
2Gnu
Senior Member
 
Registered: Jan 2002
Location: Southern California
Distribution: Slackware 14.0
Posts: 1,874

Rep: Reputation: 49
No.
That's here: http://hostap.epitest.fi/wpa_supplicant
The wpa_supplicant sample config is here: http://hostap.epitest.fi/cgi-bin/vie...ype=text/plain
 
Old 03-04-2005, 12:12 AM   #15
littlemidget
Member
 
Registered: Aug 2004
Location: Oslo, Norway.
Distribution: Debian Sarge
Posts: 171

Rep: Reputation: 30
Thanks, once again
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
802.11g clients w/ 802.11b access point peok Linux - Wireless Networking 2 11-01-2005 12:30 AM
iwconfig thinks my 802.11g card is 802.11b Relativity Linux - Wireless Networking 1 04-04-2005 09:17 PM
802.1x authentication over LAN Ben Novack Linux - Wireless Networking 0 02-10-2004 11:18 PM
Problems to enable 802.11g instead of 802.11b on WMP54g ronannormandie Linux - Wireless Networking 0 01-14-2004 02:59 PM
RedHat 8.0 with 802.11a 802.11b and 802.11g Bryanx Linux - Hardware 2 05-23-2003 02:12 AM


All times are GMT -5. The time now is 11:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration