[RADIATOR] Easy 802.1X

[A.L.M.Buxey at lboro.ac.uk]

Hi,

>    We're working with HP MSM wireless controllers, which can do EAP-TLS,
>    EAP-TTLS, EAP-PEAP, LEAP, EAP-SIM, EAP-AKA, EAP-FAST, and EAP-GTC.
> 
>    I'm looking for the easiest way to allow WPA to use a RADIUS-based
>    username/password for a public-access network. So no client certificates
>    or supplicant software, and supporting a wide range of client devices.
>    Security is not a concern -- currently authentication is done through
>    HTTP, and credentials are not personally identifying information. This is
>    strictly about convenience, to avoid use of the HTML login.

firstly I hope you mean WPA2/AES and not just old WPA/TKIP.

secondly, yes, this is fairly easy - you just need your RADIUS server
to have a certificate signed by a root CA that is common in the OS
platform. The client will then , in most cases, be happy with the cert
and just ask the user for their username/password....which will then
be cached on the device for future auths to your system (and that could
be a problem more than anything else) - this will be with EAP-PEAP (PEAPv0)

obviously, without proper configuration 802.1X is open to abuse - ie someone
else could get a cert signed by that same CA and then spoof being one
of your APs and start harvesting credentials...as the clients, if
not set to trust only a particular CN provided will open up EAP and
pass credentials through - whilst the common EAP is PEAP/MSCHAPv2, once
the EAP part if done (which is would be, you just collect the MSCHAPv2
challenge...send to a cloud cracker et voila.....but as you said,
security isnt too much here - if you already have open wireless with
just http auth then thats true.

personally I think moving into this arena, EAP/802.1X is the way to go
for convenience....(if you use EAP-TTLS then you would also be ready
to use hotspot2.0 for automatic association of mobile devices - particularly
if you have agreements etc with carriers.

alan