Cisco Aironet client Interop
Ciriza, Victor
Victor.Ciriza
Wed Apr 30 09:35:31 PDT 2003
Hi all,
Congratulations for your excellent job. I have 3
boxes running different versions of your driver
and me as admin and users are more than satisfied.
My issue is the following, I try to run these confs:
First conf
--------------------------------------------------------
-iPAQ + PocketPC 2002 + Cisco Aironet 350 client card
Running software version 2.30 released on late march 2003.
This version comes with a certificate management utility
and some software improvements that are meant to provide
support for EAP-TLS auth, older Cisco client versions
didn't come with this. The card runs the latest firmware.
-HostAPd version 0.0.1 (well, the latest) with a Netgear
MA401 wireless NIC installed on a DELL laptop
-FreeRadius 0.8 server (latest snapshost compiled with
latest OPENSSL snapshot for EAP-TLS) runing on a RedHat
7.3 box.
--------------------------------------------------------
Second Conf
--------------------------------------------------------
-Fujitsu tablet running WinXP + Cisco Aironet 350 client
Card latest firmware and drivers.
-HostAPd version 0.0.1 (well, the latest) with a Netgear
MA401 wireless NIC installed on a DELL laptop
-FreeRadius 0.8 server (latest snapshost compiled with
latest OPENSSL snapshot for EAP-TLS) runing on a RedHat
7.3 box.
--------------------------------------------------------
And all this using:
-A W2K based PKI which IS NOT THE ROOT CERTIFICATE Authority
but a sub Authority (we keep the root authority Hard DISK
install in a vault).
THE TARGET:
-First authorization filter through MAC addresses stored in
the radius server.
-Authenticating clients via EAP-TLS through a hostapd based AP
Coupled with the freeradius server.
-All certificates issued by th W2K PKI.
THE ISSUES:
First conf:
-The client is authenticated at MAC level.
-The client Issues the EAP request.
-Hostapd relays the EAP request to the Radius server
-The radius server identifies the client name and
replys with and EAP-session ACK through the HostAP who
correctly sends it back to the client
-The client just doesn't understand and displays an auth
Failure.
Second Conf
-Everything works ... If we don't ask the client to authenticate
the server's Certificate (TLS error 49 at freeradius log)
MY CONCLUSIONS:
First conf:
-I think that the latest Cisco drivers have some interop issues
with HostAPd or with themselves :-) ... That's to say they
are bugged.
Second Conf
-There's an Issue with the way in which Freeradius and Windows XP
communicate with each other for the Radius server certificate
authentication phase of TLS at the client level. It is probably related
with the fact that the issuing PKI is a Sub CA.
-It is not a big problem, but it could be a security problem if someone
could steal the identity of our Radius server and the client couldn't
check the authenticity of the server.
-WEP key (128 bits !!!) dynamic generation works fine. Even in a P-233
running a cleaned up RedHat 7.3 we rarely climb higher than 30% of load
when transmitting at full rate. Hostapd rarely takes 5% of load and the
rest is just system ops which normally do not need Hard disk access
... We could embed hostapd + system in a flash card ... Ummm :-)
MY QUESTIONS:
-Has anybody tested something like the two conf I mentioned with better
results.
-I am very interested on people running IPAQ PDA clients with Cisco Cards
with the latest version of Cisco drivers and its interoperability with
Freeradius and HostAp, did you have the same problems as me?
-Has anybody get to work the client side server certificate auth in a
win XP client?
Well, I know that some of the questions are more freeradius related
... But I imagine that we can find freeradius users in this DL ;-)
If you need logs, screenshots, etc do not hesitate to ask.
Thanks again to Jouni for his superb work.
------------------------------------------------------
Victor Ciriza
System Support Engineer
Xerox Research Centre For Europe
Computer Network Service
6, Chemin Maupertuis
38240 Meylan
Tel. +00 33 (0)476615003
Fax.+00 33 (0)476615099
----------------------------------------------------
More information about the Hostap
mailing list