(RADIATOR) Radiator, Aironet and EAP (long)

[Mike McCauley]

This is a progress report about Cisco Aironet support in Radiator.

We have spent some time recently working with the Cisco Aironet 340 and family
wireless routers with a view to adding compatibility to Radiator. Here is the
state of play:

Cisco Aironet routers support Extensible Authentication Protocol (EAP)
authentication through Radius. EAP is a public protocol that defines a number
of public authentication protocols (encapsulated inside EAP messages) and also
allows for vendor-defined extensions to be added. EAP protocol can be carried
inside Radius packets through the EAP-Message and Message-Authenticator
attributes.

Cisco have defined a proprietary extension to EAP called LEAP. (lightweight
extensible ...). LEAP has not been publically documented, and Cisco say it is a
proprietary protocol which is not to be publically released. LEAP Radius
authentication is only supported by Cisco Secure at this time.

At this time, Aironet authentication clients (ie the computer trying to connect
to the wireless router) are availbale for Windows, Linux, Mac. However, they
only support LEAP. Nobody is currently offering standard EAP clients for
Aironet on any platform.

This means that right now, the only way you can use Radius to authenticate user
access to Aironet routers is through LEAP and Cisco Secure.

The latest release of Radiator (2.18.2) will correctly proxy EAP and LEAP
Radius packets to and from Cisco Secure, even if the shared secrets are
different, and even if Radius attributes are stripped or added on the way
through (the EAP Message-Authenticator depends on the Radius shared secret and
the _entire_ contents of the Radius packet).

However, right now, it is not possible for Radiator to directly authenticate
LEAP Radius requests.

If you want this to change, you may want to contact your Cisco Rep.

Its an interesting question how anyone can be sure that LEAP is secure if Cisco
dont expose the protocol to public scrutiny?

Views, feedback direct to me, please?




-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc 
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.