Slashdot Mirror
Microsoft and Wireless Authentication
An anonymous reader writes: "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP. [ed. note: it's a draft standard] Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows. My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS? Sifry's has some good commentary and links. Opensource wireless hackers, are you working on this?"
Microsoft supports its proprietary NTLMv2 on Mac OS X (http://www.microsoft.com/mac/products/win2ksfm/de fault.asp) so they might also support OS X for this.
47% of all statistics are made up on the spot.
There's an open source effort that supports 802.1x with EAP-TLS (http://www.open1x.org). One could probably extend this to work with PEAP, if needed. But there are other protocols that may "win out", such as TTLS or LEAP.
Some of the people from the FreeS/WAN team have been working on WaveSec. Wavesec uses IPSec, a well known and trusted standard, to secure the radio waves.
-- bartman
From my quick scan of the actual IETF draft, it takes the existing PPP authentication model and wraps it in TLS for security, which seems like a reasonable quick-fix. Given that it's being run through the IETF, which from a quick search, LEAP isn't, it would seem to me that PEAP is the better option of the two...
Fast forward to today, and the SecureFast scheme is still the most secure. So it made sense to Microsoft to work with Enterasys to build a wire level authentication scheme into its OS. Christen it "EAP".
Cisco's LEAP is a derivative, and Funk Software has implementations that seem to be more robust (less propriatery).
The wireless aspect of it is in the news because that is perceived as the most vulnerable part of LANs today; but realize that these schemes work just as well for wired networks too.
"The most sensible request of government we make is not, "Do something!" But "Quit it!"
I just got my linksys wpc11 wireless pc card working under Red Hat 7.3. The drivers are available at www.linux-wlan.com/. These drivers do not support Microsoft's new standard. This may leave many people out in the cold because most wireless cards sold today are based on the prism2/2.5/3 chipset.
Could this have anything to do with Microsoft's upcoming wireless products this fall? Wouldn't be just too convenient to have your own proprietary security standard for your branded wireless devices. This is the kinda crap I hate from MS :-(
Have a Happy.
I'm not closely familiar with LEAP, but it works with major platforms already. LEAP works with Cisco cards which are supported under Windows and Linux, and with Apple's AirPort cards (not the AirPort Base Station, though) as long as you have revision 2.0 (free download) or later.
Of course, this doesn't mean LEAP covers Sun, SGI, Cray, and other hardware/OS combinations. But then, you probably won't be setting up your workstations and supercomputers so you can wander around with them; nor are you likely to have corporate visitors to plunk down an SGI on visits. The current options cover much of the personal computer market.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
I think your rant is a bit misplaced. MS's PEAP is an effort to create a standard to go with MS's future HOME wireless products. Its not an effort to destroy existing EAPTTLS vendors like Funk et al, nor is it an effort to ensure linux clients can't participate in secure networks. How many linux users do you know that will be buying MS's home wireless kits?
e ployment/wireless/default.asp
Regarding EAPTLS and certificates, it actually works very well and is completely Free if you using Win2k and XP clients as opposed to the expensive software that does EAPTTLS. A PKI that is setup to serve wireless clients in a corporate environment is not hard for any decent windows admin to setup. All you have to do is buy 802.1x hardware like the excellant Orinoco products and in under 2 hours you have a full 802.1x network with rotating keys and Mutual authentication. I have this set up at home and its awesome. You can read about how to set it up here. http://www.microsoft.com/windowsxp/pro/techinfo/d
For those of you without a 2k AD domain, you can emulate this with opensoure software by using FreeRadius which now supports 802.1x http://www.freeradius.org/ Also for more opensource goodness please visit http://www.open1x.org/
On tip for those of you interested in 802.1x is to buy a Orinoco RG1000 an excellent AP in its own right and flash it with the AP-500 firmware. That way you get a 802.1x Wireless AP for ~$100.
In conclusion if you still reading realize that while MS is bad(very bad) this is not an effort to lock linux out or wireless security.
If you wanna get rich, you know that payback is a bitch
I posted this in some other discussion the other day but.........
Why not just use IPSec? My co worker and I have been trying to figure out how to securely deploy 802.11b around the office and I came up with the idea of using IPSec. I'm the lone Macintosh island in a sea of Windows desktops and laptops at the office so I'm waiting for next week(when I get my copy of Jaguar and hence IPSec support) to really get to hack on this but the current plan is use an IPSec VPN(and throw WEP out the f'ing window) to secure the line of communication. I will set up either an OpenBSD, FreeBSD or Linux(preference in that order, yeah I know I've got a BSD partiality) firewall between the AP and the wired LAN and only allow traffic over the IPSec VPN. From my initial research I found some docs on doing wired IPSec communication but in theory that should apply to the wireless as well.
here's some useful links. I hope to be able to adapt some of the information to suit using OS X.
OpenBSD IPSec
FreeBSD IPSec
Windows 2000 to FreeBSD
DaemonNews Article
FreebsdDiary Article
After pondering the "secureness" of using IPSec in lieu of WEP I've come up with one weakness and one side affect since clients get DHCP addresses in the clear and any communication to the wired LAN is encrypted. Say jane sales chick shows up with her personal laptop and tries to use the wireless network in the office she gets a IP address but can't get into the wired net because she can't establish a IPSec VPN. Joe cust service has his laptop in the office too. he get an IP but gets blocked by the IPSec Firewall. as a side affect there is nothing stopping Joe and Jane from swapping music, warez or pr0n. The only weakness I can think of is that Johnny hacker could try to exploit one of the wireless clients(if there are any) and use that as a jumping off point to the LAN or to his/her credentials. Another thing I've given some thought to is depending on the overhead of IPSec you could take the onion skin approach making the side effect a little more difficult to non tech type(we all know how secure WEP is) by also using 64 or 128 bit wep in addition to IPSec.
Since this is all theory until next week when I get Jaguar, feel free to point out any stupid lines off thought, inaccuracies, etc. I've got going on here. If I'm successful I'll probably document it and post on the Web.
--
What is pirate software? Software for inventory of stolen treasure?
Huh? Did you actually read the referenced article? It explicitly talks about the potential dangers here to non-Microsoft systems.
Seems to me there are plenty of issues here that have the potential to affect Linux wireless access. We want to avoid a repeat of the winmodem situation, which in this case could be more severe because it affects access to networks, not just a local piece of hardware. The way to do that is to make sure information gets out early, along with awareness of the protocols, issues, and potential traps involved.
You describe yourself as "us on the Nix", but I have to wonder if you've ever touched anything other than Windows - otherwise, you might actually have some appreciation of the real-world problems of coexisting with Microsoft's perpetually broken stuff.
"Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP.
l t. asp?url=/technet/columns/cableguy/cg0702.asp
Actually, MS is more than working on it. They've implemented it in WinXP SP1. See the July Cable Guy for more details.
http://www.microsoft.com/technet/treeview/defau
Steven