Microsoft and Wireless Authentication

An anonymous reader writes: "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP. [ed. note: it's a draft standard] Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows. My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS? Sifry's has some good commentary and links. Opensource wireless hackers, are you working on this?"

What's there to work on?

[srwalter]

I think the more logical approach is rather to more thoroughly develop the existing standing LEAP. Just because MS made a new standard doesn't mean that everyone has to use it.

Seems to me it is a much more efficient use of man-power to just ignore it; maybe it will go away. I don't see why Cisco would invest their time in money in making themselves compatible to a competing technology. The only one who benefits from it is MS, therefore, they should be the only ones to use it. And if they /are/ the only ones to use it, it doesn't even benefit them.

Wireless Hackers

[Wumpus]

Opensource wireless hackers, are you working on this?

*Yawn*

No, we're not. Can I go back to sleep now?

We have our own!

[bartman]

Some of the people from the FreeS/WAN team have been working on WaveSec. Wavesec uses IPSec, a well known and trusted standard, to secure the radio waves.

LEAP? PEAP? Just say EAP-TTLS...

[hrbrmstr]

EAP-LEAP is one of the worst attempts (after basic WEP) at developing a protocol to secure wireless communications. Better to do IPSec through a VPN than to use it.

EAP-PEAP is not just a M$/Cisco standard (but they are major backers of it). There are four/five documented security problems with PEAP, the worst of which is some nefarious individual being able to take over your roaming session with almost no effort (especially with Cisco's beta implementation). Read the RFC if you want to verify. Word of caution to all wireless freaks: PEAP is probably going to be what you'll be using to roam between 802.11b "cells" when they start popping up all over (AT&T - amongst others - has plans...big plans...). Keep your ssh tunnels at the ready if you ride those etherwaves...

EAP-TLS's major shortcoming is the reliance upon a PKI infrastructure (how many of *you* have certificates?).

The only real way out (at the moment) of the wicked mess that is wireless networking is EAP-TTLS. It has the strong security of the encrypted communications of EAP-TLS without the need for certificates for authentication and handles roaming much more securely than EAP-PEAP.

Unfortunatley, M$ and Cisco have embraced EAP-PEAP as the be-all, end-all of secure wireless communications. What we need is for some good developers to make stacks for Windows, Linux and MacOS so we can avoid being stuck in an insecure purgatory. Then again, Microsoft seems to encourage insecure wireless networks the way their interface to 802.11b networks is designed. I'm sure they (and lots of other large organizations) would love to see us use the most insecure method of wireless communications possible.

Truth-be-told, it takes a great deal of horsepower in AP's (read: buy new h/w) and also takes some back-end systems to support EAP-PEAP or EAP-TTLS, and I doubt we'll see entries from Linksys or D-Link (and if we do see all-in-one solutions from them, it's game-over for security anyway). So there won't be a big saturation in the home market (where most of the wireless $$$ are going now).

Smart Fortune 500's use VPN's on top of WEP (or the forthcoming next-gen WEP standard that rotates keys much more frequently) if they use it at all. The NIST (www.nist.gov) has all but told the government to just say "no" to wireless networks in any branch/office.

I realize the point was to make sure we have tools in Linux so we aren't left out of wireless networks that employ EAP-PEAP. I say we try to ensure folks use the best possible technology *or* support multiple EAP subtypes (since there are lots of them and they're always adding more) and employ a method of restricting types of traffic on connections that had to use weaker (or no) authentication (i.e. WEP or LEAP? - need to use VPN... PEAP/TTLS? - maybe ok enough to go ahead w/o).

Re:LEAP? PEAP? Just say EAP-TTLS...

[bogie]

I think your rant is a bit misplaced. MS's PEAP is an effort to create a standard to go with MS's future HOME wireless products. Its not an effort to destroy existing EAPTTLS vendors like Funk et al, nor is it an effort to ensure linux clients can't participate in secure networks. How many linux users do you know that will be buying MS's home wireless kits?

Regarding EAPTLS and certificates, it actually works very well and is completely Free if you using Win2k and XP clients as opposed to the expensive software that does EAPTTLS. A PKI that is setup to serve wireless clients in a corporate environment is not hard for any decent windows admin to setup. All you have to do is buy 802.1x hardware like the excellant Orinoco products and in under 2 hours you have a full 802.1x network with rotating keys and Mutual authentication. I have this set up at home and its awesome. You can read about how to set it up here. http://www.microsoft.com/windowsxp/pro/techinfo/de ployment/wireless/default.asp

For those of you without a 2k AD domain, you can emulate this with opensoure software by using FreeRadius which now supports 802.1x http://www.freeradius.org/ Also for more opensource goodness please visit http://www.open1x.org/

On tip for those of you interested in 802.1x is to buy a Orinoco RG1000 an excellent AP in its own right and flash it with the AP-500 firmware. That way you get a 802.1x Wireless AP for ~$100.

In conclusion if you still reading realize that while MS is bad(very bad) this is not an effort to lock linux out or wireless security.

This is Bullshit. Here's Why:

- This is a multi-vendor effort, since the first question every wireless equipment reseller gets asked during the first five minutes of any REAL customer presentation (i.e., the ones with geeks, in them, not fat corporate flunkies looking for a couple hours off and free pens) is: what do you have besides WEP?

- Cisco in particular has been getting bashed for LEAP not being a real standard, not being open-source (ask the Radiator guys at open.com.au what kind of answer they got when they wanted to implement LEAP) and having at least two security loopholes (search slashdot for the info)

- It does NOT require deployment of a certificate authority. It depends on how you decide to configure your setup, and will work just the same as LEAP, but in a standardtized way.

- I have Cisco beta firmware (for Aironet 350) that implements this for two months now. It has a few quirks, but it's supposed to be stable come Q4 (i.e., in a couple of weeks now). It's a trifle slow, and seems to glitch on WEP key rotation.

(the real issue is not just two-way authentication, but authentication AND key management.)

- It's supposedly compatible with just about any 802.1x client (so Xsupplicant should work, but I couldn't be bothered to try)

- Apple already supports LEAP (so so), so full 802.1x/PEAP support should be forthcoming.

What you guys should REALLY be worried about (well, those of you who actually manage the networks you set up your boxes in) is the complete, utter lack of decent Windows 2000 support for this.

There is NO WAY everyone using WLANs (even Cisco ones) will migrate to XP (and I don't see any corporate moves in that direction on my side of the pond), and even less chance that your run-of-the-mill corporate user runs Linux on his laptop, so W2K support will be a hellish problem.

(It was supposed to be in the last W2K service pack, but since the "flagship" XP version isn't out, I guess we're at Bill's mercy.)

Oh, and did I mention time to market for non-Cisco vendors? And the AP-on-steroids you need? :)

It is MAC address based, and not just for Wireless

[Degrees]

Cabletron (now Enterasys) tried their darnedest to get their SecureFast VLAN technology adopted as an IEEE standard, but couldn't. Great technology, it tracked every MAC address that entered any switch on the LAN. Problem is, it took lots of horsepower, and Cisco's gear wasn't the low-cost leader by throwing in tons of CPU. Their price point had a benefit: turned them into the 800 pound gorilla. When Cabletron (practically invented VLANs) brought this VLAN technology up for a vote, it got voted down - and the current 'packet tagging' scheme got approved (doesn't take many CPU cycles to look at a tag or not, compared to each switch maintaining access lists and doing lookups on new MAC's).

Fast forward to today, and the SecureFast scheme is still the most secure. So it made sense to Microsoft to work with Enterasys to build a wire level authentication scheme into its OS. Christen it "EAP".

Cisco's LEAP is a derivative, and Funk Software has implementations that seem to be more robust (less propriatery).

The wireless aspect of it is in the news because that is perceived as the most vulnerable part of LANs today; but realize that these schemes work just as well for wired networks too.

RTFA - Better title would have been - New Standard

[puto]

There are six other contributors to the Project. Microsoft and Cisco are there and while they are two mighty large behemoths in the industry there are several other people and orginizations with their eggs in the basket too.

The ed copy almost urges us to pour wood on the MS sacrificial pyre.

Any large outfit with software, hardware, anything do do with networking is gonna have their fingers in this pie. And MS or Cisco would have not been idiots to get on it. And both companied can put money and people on the case.

MS realizes UNIX(Linux)is a force and although they do not like, know they must coexist. The days of MS thinking they could destory us or over. But every crusade needs its zealots, and us on the Nix have em.

Hey if MS can do something to secure the MS networks I have to support, and it contributes to the community. Take their money, develop it, and we all benefit from it. I might get a weekend off.

Just a draft for a project with multiple backers. But is has MS in it so lets skew the editorial comment.

Truth in Journalism is hard to come by we all have learned to read between the lines.

We read the slashdot cause it compiles info from sources on the web we do not have go looking for. Neither time nor inclination. But referencing someone elses work, and then putting a slant on it is something else. It is cheesy. If you want to spin, learn to spin. Sometimes the articles here have all the intelligence of liner notes from 80's hair bands.

Puto

All Bad!!

[metoc]

So far:
M$ proposes improvement to wireless security. Bad!
Ci$co supports M$. Bad!

IETF in the pockets of M$ & Ci$co. Bad!

Open Source community cannot implement IETF standards. Bad!
Microsoft! Bad!
Ci$co! Bad!
No wireless security! Bad!
Slashdot users have no alternatives! Bad!
Slashdot users waste their time reading this! Bad!
In case Slashdot users need to hear it again. Microsoft BAD!!