EAP-MD5 support issue with Atheros APs
Last Post: March 15, 2006:
-
Hi all,
This may seem in what I feel as a strange issue. Let me outline the issue as under:
I am trying to configure Wireless security based on the EAP-MD5 model. My network consists of: (1) Funk Odyssey Supplicant which supports EAP-MD5 (2) Atheros AP43/AP48 as the Access Point (3) Microsoft IAS as the RADIUS server configured for EAP-MD5 Authentication.
Configuration wise everything is proper but the Funk Odyssey utility reports Authentication failure! Radius logs reveals success as depicted in the Event Viewer. An appropriate sniffer capture on the wired side reveals RADIUS Access Accept(which encapsulates the EAP-Success Message[Code 3]) is being forwarded by IAS to the Atheros AP. Wireless sniffer capture reveals that the AP seems to convert this into EAP-Failure(Code 4)!!
I have tried with 2 different Atheros APs but it's the same issue. Could it be that the Atheros AP doesn't support EAP-MD5?? Please help
P.S. : The Atheros AP is configured for WPA - EAP Authentication -
Your post told the your AP is configured for EAP-WPA.
EAP types i know are
1) EAP-MD5
2) EAP-TLS
3) EAP -TTLS
4) EAP-LEAP
5) EAP-PEAP
6) EAP- SIM
7) EAP- FAST
I think the problem might be in the APs condiguration.
You might have to wait until the Big Guys in U.S Wake up.
GT Hill /Criss Hyde /Devin might have to reply to this Question.
Best ,
S.Senthilraj -
Well what I meant was that the AP has been configured for WPA - Enterprise (which supports the various EAP flavors as mentioned by you above).
-
Most APs wont allow EAP-MD5 authentication due to the lack of keying material.I think it might be an issue with your Atheros AP too.
U can check this link :-http://www.grangenet.net/presentations/QuestNet2005_802.1X_Tutorial_Presentation.pdf
which speaks on the same. -
Hi Rekha,
Thanks for Answering.
Update your Profile Pls.
Best Regards,
S.Senthilraj -
Hi Rekha,
Thanx for the update. This may be the reason behind it given the fact that I've checked with a variety of RADIUS servers(Microsoft IAS, Funk SBR, Cisco ACS) & in each case it's exactly the same as described by me originally.
But this raises a second question : When it comes to WPA-Enterprise, isn't the EAP subtype(keying, computing, hashing, etc) handled only by the STA & the RADIUS server & the AP just sits to encapsulate/decapsulate EAP & RADIUS packets?
Please clarify? May be my concept is wrong. -
Swaraj,
You are correct. The authenticator (AP or WLAN switch) just sits in the middle and encapsulates the EAP info into a RADIUS frame (and vice versa). My first question is, "why are you trying to configure EAP-MD5?" It's about the same thing as using static WEP.
I wouldn't pursue it any further. I'd quit and try to configure PEAP or TTLS - especially since you are using Odyssey Client that supports it.
Devinator -
Devin,
Swaraj is a Wlan tester .
If he had to test 802.1x module ,he has to test all the
EAP-Types.
Best Regards,
S.Senthilraj -
Hi Devin,
At the inset thanks for your much awaited reply (and I am true to myself when I say so!). And as wirelesswizardCWSP pointed it out aptly that my job role necessitates me to do so!
And as far as other EAP flavors are concerned, yes I've been successful with EAP-TLS, EAP-TTLS-MSCHAPv2, EAP-PEAP0, EAP-PEAP1.
Have you tried checking EAP-MD5 with any other AP? May I request you to share your experience in this matter please? -
"Thou shalt have WLAN"
Swaraj
That is catchy, can I borrow that? :) It is good to see you test these EAP types and have had succcess at utilizing them. Can you share your expereince with us too? What Radius appliance has worked well for you?
The more we know the better this WLAN expereince will become as we migrate to 802.11n in the future.