Security Basics mailing list archives
RE: 802.1x and PEAP
From: "Rosenhan, David" <David.Rosenhan () swiftbrands com>
Date: Mon, 8 Mar 2004 08:08:14 -0700
I checked that out also and found that most of those devices support LEAP but not the Cisco version of TKIP and WEP. I also found that most of them also support WPA with a software and driver upgrade. Thanks! David Rosenhan, CCNP Information Technology -----Original Message----- From: Camillo Bucciarelli [mailto:camillobucciarelli () yahoo it] Sent: Monday, March 08, 2004 3:39 AM To: Rosenhan, David Cc: security-basics () securityfocus com Subject: RE: 802.1x and PEAP On the Cisco's website I've found a list of "Compatible devices": http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_090 0aecd800a7907.html I think that this devices support the basic Wireless Operation but not the TKIP+MIC. What do you think? Regards, Camillo --- "Rosenhan, David" <David.Rosenhan () swiftbrands com> ha scritto: > True, Cisco was one of the first vendors to even
make it available. WiFi or the IEEE hadn't come out with any true standard yet so Cisco basically built their own, this is why you can't use another vendors card and have TKIP with MIC and WEP enabled on a Cisco AP. But I am right when I say that no other card (that I have tried or that I know of) then a Cisco card will work with a Cisco AP running WEP+TKIP+MIC. However with the new IBM T40 built in wireless card you can use the new Cipher suite Cisco implemented in the IOS code on the 1200's, 350's and 1100's (after a free download of the software from the IBM website which includes IBM's Application software and driver updates) This integrates WPA with TKIP using the IEEE standard, it also works with Cisco LEAP and with regular EAP. There is an option above the Cipher suite option that is Cisco proprietary MIC and TKIP used with WEP in the IOS code. I have spent countless hours testing all of this so if you need more info then let me know. David Rosenhan, CCNP Information Technology -----Original Message----- From: Rosado, Rafael (Rafael) [mailto:rarosado () lucent com] Sent: Friday, March 05, 2004 6:32 AM To: Rosenhan, David; Camillo Bucciarelli Cc: security-basics () securityfocus com; shankarnarayan.d () netsol co in Subject: RE: 802.1x and PEAP David, I disagree with your comment about TKIP and MIC being proprietary. TKIP and MIC are part of the Wifi Alliance's interim solution to WEP deficiencies which are a subset of the Wifi Protected Access solution of IEEE 802.11i (still in draft, expected to be ratified sometime 2nd-3rd QTR 2004). Cisco has a proprietary version of TKIP, but it is based on the framework estabished by the WiFi Alliance. Rafael Rosado, CISSP, CISA IT Security Manager Lucent Technologies IT Infrastructure - Network Design 2400 SW 145th Avenue Miramar, Florida 33027 Office: 954-885-2176 Facsimile: 954-885-3861 Email: rarosado () lucent com This electronic mail message contains information belonging to Lucent Technologies, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message. -----Original Message----- From: Rosenhan, David [mailto:David.Rosenhan () swiftbrands com] Sent: Thursday, March 04, 2004 3:18 PM To: Camillo Bucciarelli Cc: security-basics () securityfocus com; shankarnarayan.d () netsol co in Subject: RE: 802.1x and PEAP Camillo, Broadcast key rotation can only be done with an authentication server. TKIP and MIC are Cisco proprietary, if you have an AP running VXWorks and not IOS they you won't get a different vendors card other then a 340 or 350 card to work with TKIP and MIC, period, even if you upgrade to IOS a different vendors card will not work with TKIP and MIC, but there are other options with IOS. If you upgrade to IOS on your AP (1200's and 350 AP's are up-gradable to IOS) then you have some new options, you can now use new IEEE standards like WPA, the problem is the manufacturers card has to support it. WPA is really new, even with Cisco 340 and 350 cards you have to use a separate piece of software (Like the Funk Odyssey client) to use WPA pre-shared keys. IEEE also included TKIP with WPA and you don't need a server to use it with the new IOS software on the 1200 and 350 AP's. Plus there are options for EAP with WPA and broadcast key rotation with authentication to a RADIUS server (Cisco has doc's that talk about how the ACS server works with all of this on their website). Thanks! David Rosenhan, CCNP Information Technology -----Original Message----- From: Camillo Bucciarelli [mailto:camillobucciarelli () yahoo it] Sent: Thursday, March 04, 2004 8:43 AM To: shankarnarayan.d () netsol co in Cc: security-basics () securityfocus com Subject: RE: 802.1x and PEAP Can I use these features(Enhanced MIC verification for WEP, Temporal Key Integrity Protocol, Broadcast WEP Key rotation) with a non-cisco wireless adatpter? Such as a 3com wireless PCMCIA? Actually I've tried a cisco aironet 340 wireless card. Regards, Camillo Bucciarelli --- shankarnarayan.d () netsol co in ha scritto: > This can be done best on the wireless networkshaving AP's from Cisco. The others are still in the process of accomplishingthe same on theirAccess Points (most have done it, some are yet toaccomplish thesame). The broadcast key is negotiated for thefirst time and then thesame is changed at periodic intervals(configurable by anadministrator). The old broadcast key is used toencrypt the new keyand the same is broadcast out to all the clientson the access pointat the expiry of the administrator defined timelimit. On a Cisco youwould use the following commands on the Aironet1100/ 1200 (with IOS)in order BM_1036542configure terminal BM_1036548 interface dot11radio { 0 | 1 } broadcast-key change seconds
=== message truncated === ===== Camillo Bucciarelli ______________________________________________________________________ Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/ --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- 802.1x and PEAP Camillo Bucciarelli (Mar 02)
- <Possible follow-ups>
- RE: 802.1x and PEAP shankarnarayan . d (Mar 03)
- RE: 802.1x and PEAP Camillo Bucciarelli (Mar 03)
- RE: 802.1x and PEAP Camillo Bucciarelli (Mar 04)
- RE: 802.1x and PEAP Rosenhan, David (Mar 04)
- RE: 802.1x and PEAP Rosado, Rafael (Rafael) (Mar 08)
- RE: 802.1x and PEAP shankarnarayan . d (Mar 08)
- RE: 802.1x and PEAP Rosenhan, David (Mar 08)
- RE: 802.1x and PEAP Camillo Bucciarelli (Mar 08)
- RE: 802.1x and PEAP Rosenhan, David (Mar 08)
- RE: 802.1x and PEAP shankarnarayan . d (Mar 08)
- RE: 802.1x and PEAP Jason Humes (Mar 08)
- Re: 802.1x and PEAP balinsky (Mar 29)