Reauthentication Problem

Jacques Caron jacques_m_caron
Fri Apr 4 08:59:26 PST 2003


Hi,

EAP-MD5 can't even provide session keys, so on top of being insecure it is 
quite useless for WLANs. Which explains why MS disabled it in XP SP1 (it's 
still there, just not available for WLANs, only for PPP-derived protocols, 
afaik).

EAP-TLS is a better choice, or PEAP + EAP-MSCHAP. There are a lot of other 
good candidates, but you need the appropriate support on both the client 
and RADIUS server, of course.

Jacques.

At 18:51 04/04/2003, Jose Araujo wrote:
>Hi.
>
>Well, i don't know if EAP-MD5 supports dynamic keying, i have read 
>somewere that it doesn't, but the rfc doesn't seem to indicate that it 
>does not.
>
>I also thinking about using MD5, but from what i have read, it enables a 
>man in the middle attack, that intercepts your authentication and then 
>forward that request to the real AP enabling it to intercept your trafic 
>and to crack your password.
>
>If you have few users, then EAP-TLS shouldn't give you too much trouble 
>and is much more secure.
>
>So in my limited knowledge i suggest you to either change to TLS or 
>disable dynamic keying.
>
>Hope it helps
>
>Jose Araujo
>
>P.S. I am also sending this message to the hostap list. but it takes a 
>little more time to be processed :-)
>
>Venkatesh N wrote:
>
>>Hi,
>>
>>Thanks for you quick response,,,
>>
>>I need MD5 authentication, so with this requirement what could be done
>>to avoid failure of Re-Authentication
>>
>>regards,
>>Venkatesh N
>>
>>Jose Araujo wrote:
>>
>>
>>
>>>Hy,
>>>
>>>What version of XP are you using, please try to upgrade to XP SP1 (it
>>>seems better, but it removes MD5 auth).
>>>
>>>In my setup the Key negotiation happens every 5 minutes (300 secs) and i
>>>don't have any problem with both the broadcast key and the unicast key
>>>(both at wep 128).
>>>
>>>I even tried to change keys every 20 secs, and it still worked like a charm.
>>>
>>>Jose Araujo
>>>
>>>Venkatesh N wrote:
>>>
>>>
>>>
>
>
>_______________________________________________
>HostAP mailing list
>HostAP at shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap






More information about the Hostap mailing list