Re: Dynamic WEP support.

From: Dennis Kaarsemaker <dennis kaarsemaker net>
To: networkmanager-list gnome org
Subject: Re: Dynamic WEP support.
Date: Wed, 22 Mar 2006 22:26:42 +0100

On wo, 2006-03-22 at 15:34 -0500, Robert Love wrote:
> 
> > EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
> > EAP-PEAP/TLS (both PEAPv0 and PEAPv1)
> > EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
> > EAP-PEAP/OTP (both PEAPv0 and PEAPv1)
> > EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)
> > EAP-TTLS/EAP-MD5-Challenge
> > EAP-TTLS/EAP-GTC
> > EAP-TTLS/EAP-OTP
> > EAP-TTLS/EAP-MSCHAPv2
> > EAP-TTLS/EAP-TLS
> > EAP-TTLS/MSCHAPv2
> > EAP-TTLS/MSCHAP
> > EAP-TTLS/PAP
> > EAP-TTLS/CHAP
> 
> Yah, I've seen this.  It doesn't really answer the question, although
> it is a start.
> 
> What we have is
> 
>         EAP-PEAP (supported now), plus the following 2nd stages:
>         MCCHAPv2, TLS, GTC, OTP, MD5-Challenge
> 
>         EAP-TTLS (supported now), plus the following 2nd stages:
>         MSCHAPv2, MSCHAP, PAP, CHAP
> 
> So I have two questions: what are the EAP versions of the 2nd
> authentications?  E.g., what is "EAP-TTLS/EAP-MSCHAPv2" and how does
> it differ from "EAP-TTLS/MSCHAPv2" ?

As I understand it:

* WPA and WEP are two types of keys - WPA being a little more secure
* WPA-PSK (this is a wpa_supplicant term) is roughly the equivalent of 
  WEP with a preshared key.

What NM calls WPA2 Enterprise is actually WPA-EAP (this is a
wpa_supplicant term) - using EAP (extensible authentication protocol)
for dynamic WPA keys.

The key_mgmt type 802.1X (in wpa_supplicant) is the equivalent
authentication mechanismd for dynamic WEP keys.

There are several EAP methods implemented in wpa_supplicant:

* EAP-MD5
* EAP-MSCHAPV2
* EAP-TLS
* EAP-PEAP
* EAP-TTLS

EAP-MD5 is insecure and can only be used as phase 2 method for EAP-PEAP
or EAP-TTLS, same goes for EAP-MSCHAPV2. EAP TLS requires a client and
server certificate. EAP-TTLS is an anonymous TLS tunnel wherein an extra
EAP/PAP/CHAP/MSCHAP/MSCHAPV2 authentication takes place. EAP-PEAP is a
tunneled EAP with anonymous outer layer (similar to EAP-TTLS).

I hope this answers your question. This is all quite cleary documented
in the default config file of wpa_supplicant (stupid place to document
things though)

> And my second question is, for each of the above, I need a human
> readable name (pretty easy to figure out) and the string that
> wpa_supplicant expects.

If wpa_supplicant requires the same strings in the control channel as it
does in the configuration, then the exhaustive list of strings can be
found there.

-- 
Dennis K.
 - Linux for human beings - http://www.ubuntu.com
 - Linux voor normale mensen - http://www.ubuntu-nl.org

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- Dynamic WEP support.
  - From: Robert Love
- Re: Dynamic WEP support.
  - From: Robert Love
- Re: Dynamic WEP support.
  - From: Dennis Kaarsemaker
- Re: Dynamic WEP support.
  - From: Robert Love
- Re: Dynamic WEP support.
  - From: Stefan Schmidt
- Re: Dynamic WEP support.
  - From: Robert Love

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]