Microsoft and Wireless Authentication

An anonymous reader writes: "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP. [ed. note: it's a draft standard] Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows. My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS? Sifry's has some good commentary and links. Opensource wireless hackers, are you working on this?"

We have our own!

[bartman]

Some of the people from the FreeS/WAN team have been working on WaveSec. Wavesec uses IPSec, a well known and trusted standard, to secure the radio waves.

What's wrong with it?

[vanyel]

From my quick scan of the actual IETF draft, it takes the existing PPP authentication model and wraps it in TLS for security, which seems like a reasonable quick-fix. Given that it's being run through the IETF, which from a quick search, LEAP isn't, it would seem to me that PEAP is the better option of the two...

It is MAC address based, and not just for Wireless

[Degrees]

Cabletron (now Enterasys) tried their darnedest to get their SecureFast VLAN technology adopted as an IEEE standard, but couldn't. Great technology, it tracked every MAC address that entered any switch on the LAN. Problem is, it took lots of horsepower, and Cisco's gear wasn't the low-cost leader by throwing in tons of CPU. Their price point had a benefit: turned them into the 800 pound gorilla. When Cabletron (practically invented VLANs) brought this VLAN technology up for a vote, it got voted down - and the current 'packet tagging' scheme got approved (doesn't take many CPU cycles to look at a tag or not, compared to each switch maintaining access lists and doing lookups on new MAC's).

Fast forward to today, and the SecureFast scheme is still the most secure. So it made sense to Microsoft to work with Enterasys to build a wire level authentication scheme into its OS. Christen it "EAP".

Cisco's LEAP is a derivative, and Funk Software has implementations that seem to be more robust (less propriatery).

The wireless aspect of it is in the news because that is perceived as the most vulnerable part of LANs today; but realize that these schemes work just as well for wired networks too.

Gee

[ViceClown]

Could this have anything to do with Microsoft's upcoming wireless products this fall? Wouldn't be just too convenient to have your own proprietary security standard for your branded wireless devices. This is the kinda crap I hate from MS :-(

Re:What's there to work on?

[Oculus+Habent]

I'm not closely familiar with LEAP, but it works with major platforms already. LEAP works with Cisco cards which are supported under Windows and Linux, and with Apple's AirPort cards (not the AirPort Base Station, though) as long as you have revision 2.0 (free download) or later.

Of course, this doesn't mean LEAP covers Sun, SGI, Cray, and other hardware/OS combinations. But then, you probably won't be setting up your workstations and supercomputers so you can wander around with them; nor are you likely to have corporate visitors to plunk down an SGI on visits. The current options cover much of the personal computer market.

Re:LEAP? PEAP? Just say EAP-TTLS...

[bogie]

I think your rant is a bit misplaced. MS's PEAP is an effort to create a standard to go with MS's future HOME wireless products. Its not an effort to destroy existing EAPTTLS vendors like Funk et al, nor is it an effort to ensure linux clients can't participate in secure networks. How many linux users do you know that will be buying MS's home wireless kits?

Regarding EAPTLS and certificates, it actually works very well and is completely Free if you using Win2k and XP clients as opposed to the expensive software that does EAPTTLS. A PKI that is setup to serve wireless clients in a corporate environment is not hard for any decent windows admin to setup. All you have to do is buy 802.1x hardware like the excellant Orinoco products and in under 2 hours you have a full 802.1x network with rotating keys and Mutual authentication. I have this set up at home and its awesome. You can read about how to set it up here. http://www.microsoft.com/windowsxp/pro/techinfo/de ployment/wireless/default.asp

For those of you without a 2k AD domain, you can emulate this with opensoure software by using FreeRadius which now supports 802.1x http://www.freeradius.org/ Also for more opensource goodness please visit http://www.open1x.org/

On tip for those of you interested in 802.1x is to buy a Orinoco RG1000 an excellent AP in its own right and flash it with the AP-500 firmware. That way you get a 802.1x Wireless AP for ~$100.

In conclusion if you still reading realize that while MS is bad(very bad) this is not an effort to lock linux out or wireless security.

What are you talking about??

[alienmole]

Just a draft for a project with multiple backers. But is has MS in it so lets skew the editorial comment.

Huh? Did you actually read the referenced article? It explicitly talks about the potential dangers here to non-Microsoft systems.

Seems to me there are plenty of issues here that have the potential to affect Linux wireless access. We want to avoid a repeat of the winmodem situation, which in this case could be more severe because it affects access to networks, not just a local piece of hardware. The way to do that is to make sure information gets out early, along with awareness of the protocols, issues, and potential traps involved.

You describe yourself as "us on the Nix", but I have to wonder if you've ever touched anything other than Windows - otherwise, you might actually have some appreciation of the real-world problems of coexisting with Microsoft's perpetually broken stuff.