[CWN-Summit] Open 1X Project Info:
Sascha Meinrath
sascha at ucimc.org
Wed Sep 29 08:42:33 CDT 2004
This is a really interesting interview with two of the folks who are
working on the Open 1X Project (an open source project working on wireless
networking security). The system uses dynamic keying (rather than VPN
like the UofI) so it doesn't require client software.
In a nutshell:
"We use TTLS, with PAP as the inner authentication method. As a security
measure, our user accounts are stored in Kerberos, which encrypts user
passwords on the server. Kerberos allows you to give it a user name and
unencrypted password for validation, but it does not store the password in
a way that the unencrypted form can be recovered. We needed an EAP method
worked with a user name and an unencrypted password. Kerberos can validate
a password, but it doesn't work with challenge/response systems like PEAP.
[Interviewer's note: PEAP actually can work with an unencrypted
authentication string, by using EAP-GTC as the inner method. However,
PEAP/EAP-GTC is not widely supported by clients, and it is not implemented
by the supplicant built in to Windows.]"
There's a fairly accessible white-paper explaining their system here:
http://wireless.utah.edu/global/support/radius_mesh/RADIUS_Mesh_Long.pdf
For the BSD folks in the crowd, "We're spending most of our time writing
code to implement WPA and 802.11i. The BSD frame handler is also on the
short list, but we are spending more time on WPA and 802.11i. If somebody
were to write the BSD frame handler, we would be more than happy to take
it, though."
--Sascha
--
Sascha Meinrath
Project Manager & Pres. * Project Coordinator * Policy Analyst
Acorn Worker Collective *** CU Wireless Network *** Free Press
www.acorncollective.com * www.cuwireless.net * www.freepress.net
Subject: Open-Source 802.1X Deployment, Future
By Glenn Fleishman
Special to Wi-Fi Networking News
Permanently archived at <http://wifinetnews.com/archives/004168.html>
[1] Matthew Gast interviews two of the principals of the open-source
802.1X project called Open1X: Matthew is involved in testing 802.1X
systems (supplicants and servers); he's the author of O'Reilly's [2]
802.11 Wireless Networks. He interviews Chris Hessing and Terry Simons
about their use of 802.1X at the University of Utah--fascinating in
itself--and their broader goals of bringing more interoperability and
sophistication to 802.1X implementations. Open1X was started because they
needed a client that worked across many platforms; now some platforms have
limited 802.1X clients built in, but the need for a robust open-source
supplicant is still quite high.
URLs referenced:
[1] <http://www.macdevcenter.com/pub/a/mac/2004/09/21/open1x.html>
[2] <http://isbn.nu/0596001835>
More information about the CWN-Summit
mailing list