Forum

Compughter,
Thank you for acknowledging my efforts in testing WLAN security. Yeah you bet the deal with EAP-MD5 is catchy! Like as I mentioned originally, no matter whatever RADIUS server I use(albeit I've used a few of them), the RADIUS sends Access-Accept(containing EAP-Success in it) packet to the AP, which in turn turns it into EAP-Failure before forwarding it to the STA!!
Thus, whereas the RADIUS logs reveal successful Authentication, the Supplicant utility reports Authentication Failure.
Remember that the AP is configured for WPA-Enterprise, which implies that in being configured for so, it just sits to encapsulate/decapsulate EAP & RADIUS packets from the STA & the RADIUS.
The interesting part is that the AP functions exactly as described in the above para until about the moment it receives the final RADIUS Access- Accept packet from the AS. This is confirmed by the wireless sniffer capture which reflects proper decapsulation of the RADIUS packets but for the last one from the AP!
I hope I don't sound too lengthy/boring in attempting to discuss my experience with the forum.
Coming to your second question, could you be more specific on that? I am asking you so 'coz I haven't come across a 'one RADIUS does it all solution' yet. Maybe I need to dig the soil deeper.

What OS software are you using on your test?

Windows XP with SP1, Windows XP with SP2, Windows Server 2003, and Windows 2000 with SP4 no longer allow the use of EAP-MD5 CHAP as a wireless authentication method.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wificomp.mspx

The question posed on what Radius appliance works best ,is just general. Just like to understand what users prefer that is easier to configure. I am going to set up my own at home here soon.

Hi Compughter, thank you for the link above.
I am using Win 2000 Pro-SP4 on the STA & Win 2000 Server-SP4 on the RADIUS machine. Checked earlier with Win XP SP2 on the STA also but to no effect. And the link you have mentioned above exactly confirms the same.
But now that raises another question in my mind:
If the OS was not supposed to support it, why would the AP reject the EAP-Success from the RADIUS machine & convert it into EAP-Failure? And again the deal with WPA-Enterprise is analogus to what Microsoft expalins in the above link as EAP over RADIUS. I would again like to stress that the AP is configured in WPA-Enterprise mode!

Coming to your next question on what RADIUS appliance works well in general, Microsoft IAS steals the show only due to it's ease of configuration. Setting up a RADIUS solution is a breeze with Microsoft IAS, albeit it has limited EAP-type support. Win 2000 Server ships with IAS & MCS builtin, so costwise that proves economical also. My experience in setting up EAP-TLS with Microsoft IAS & MCS has indeed been very smooth & troublefree!

Swaraj,

I am not a Radius guru, but here is a link to a question and answer between two 802.1x promoters. Chris Hessing is the guy that quoted this. While it might not mention WPA Enterprise , it must still apply to EAP-MD5. Why? I couldn't tell you but it makes for interesting research.


http://www.macdevcenter.com/pub/a/mac/2004/09/21/open1x.html

PEAP allows you to use any EAP type, but I should note that "any" is not always "any." For example, in PEAP version zero, it's hard to distinguish whether you are getting an EAP message or if you are getting a request to do a specific type of EAP authentication. EAP-MD5 has an EAP method value of 4, but the EAP-Failure packet has a type code of four as well. When you get an EAP-MD5 challenge, it might be interpreted as a failure by the supplicant.

Thank you for your comments on the RADIUS authentication methods.