Microsoft and Wireless Authentication

An anonymous reader writes: "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP. [ed. note: it's a draft standard] Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows. My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS? Sifry's has some good commentary and links. Opensource wireless hackers, are you working on this?"

We have our own!

[bartman]

Some of the people from the FreeS/WAN team have been working on WaveSec. Wavesec uses IPSec, a well known and trusted standard, to secure the radio waves.

It is MAC address based, and not just for Wireless

[Degrees]

Cabletron (now Enterasys) tried their darnedest to get their SecureFast VLAN technology adopted as an IEEE standard, but couldn't. Great technology, it tracked every MAC address that entered any switch on the LAN. Problem is, it took lots of horsepower, and Cisco's gear wasn't the low-cost leader by throwing in tons of CPU. Their price point had a benefit: turned them into the 800 pound gorilla. When Cabletron (practically invented VLANs) brought this VLAN technology up for a vote, it got voted down - and the current 'packet tagging' scheme got approved (doesn't take many CPU cycles to look at a tag or not, compared to each switch maintaining access lists and doing lookups on new MAC's).

Fast forward to today, and the SecureFast scheme is still the most secure. So it made sense to Microsoft to work with Enterasys to build a wire level authentication scheme into its OS. Christen it "EAP".

Cisco's LEAP is a derivative, and Funk Software has implementations that seem to be more robust (less propriatery).

The wireless aspect of it is in the news because that is perceived as the most vulnerable part of LANs today; but realize that these schemes work just as well for wired networks too.

Re:LEAP? PEAP? Just say EAP-TTLS...

[bogie]

I think your rant is a bit misplaced. MS's PEAP is an effort to create a standard to go with MS's future HOME wireless products. Its not an effort to destroy existing EAPTTLS vendors like Funk et al, nor is it an effort to ensure linux clients can't participate in secure networks. How many linux users do you know that will be buying MS's home wireless kits?

Regarding EAPTLS and certificates, it actually works very well and is completely Free if you using Win2k and XP clients as opposed to the expensive software that does EAPTTLS. A PKI that is setup to serve wireless clients in a corporate environment is not hard for any decent windows admin to setup. All you have to do is buy 802.1x hardware like the excellant Orinoco products and in under 2 hours you have a full 802.1x network with rotating keys and Mutual authentication. I have this set up at home and its awesome. You can read about how to set it up here. http://www.microsoft.com/windowsxp/pro/techinfo/de ployment/wireless/default.asp

For those of you without a 2k AD domain, you can emulate this with opensoure software by using FreeRadius which now supports 802.1x http://www.freeradius.org/ Also for more opensource goodness please visit http://www.open1x.org/

On tip for those of you interested in 802.1x is to buy a Orinoco RG1000 an excellent AP in its own right and flash it with the AP-500 firmware. That way you get a 802.1x Wireless AP for ~$100.

In conclusion if you still reading realize that while MS is bad(very bad) this is not an effort to lock linux out or wireless security.