Hi, > We're working with HP MSM wireless controllers, which can do EAP-TLS, > EAP-TTLS, EAP-PEAP, LEAP, EAP-SIM, EAP-AKA, EAP-FAST, and EAP-GTC. > > I'm looking for the easiest way to allow WPA to use a RADIUS-based > username/password for a public-access network. So no client certificates > or supplicant software, and supporting a wide range of client devices. > Security is not a concern -- currently authentication is done through > HTTP, and credentials are not personally identifying information. This is > strictly about convenience, to avoid use of the HTML login.
firstly I hope you mean WPA2/AES and not just old WPA/TKIP. secondly, yes, this is fairly easy - you just need your RADIUS server to have a certificate signed by a root CA that is common in the OS platform. The client will then , in most cases, be happy with the cert and just ask the user for their username/password....which will then be cached on the device for future auths to your system (and that could be a problem more than anything else) - this will be with EAP-PEAP (PEAPv0) obviously, without proper configuration 802.1X is open to abuse - ie someone else could get a cert signed by that same CA and then spoof being one of your APs and start harvesting credentials...as the clients, if not set to trust only a particular CN provided will open up EAP and pass credentials through - whilst the common EAP is PEAP/MSCHAPv2, once the EAP part if done (which is would be, you just collect the MSCHAPv2 challenge...send to a cloud cracker et voila.....but as you said, security isnt too much here - if you already have open wireless with just http auth then thats true. personally I think moving into this arena, EAP/802.1X is the way to go for convenience....(if you use EAP-TTLS then you would also be ready to use hotspot2.0 for automatic association of mobile devices - particularly if you have agreements etc with carriers. alan _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
