Security Basics mailing list archives

RE: 802.1x and PEAP

From: "Rosenhan, David" <David.Rosenhan () swiftbrands com>
Date: Mon, 8 Mar 2004 08:08:14 -0700

I checked that out also and found that most of those devices support
LEAP but not the Cisco version of TKIP and WEP.  I also found that most
of them also support WPA with a software and driver upgrade.

Thanks!

David Rosenhan, CCNP
Information Technology

-----Original Message-----
From: Camillo Bucciarelli [mailto:camillobucciarelli () yahoo it] 
Sent: Monday, March 08, 2004 3:39 AM
To: Rosenhan, David
Cc: security-basics () securityfocus com
Subject: RE: 802.1x and PEAP

On the Cisco's website I've found a list of
"Compatible devices":
http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_090
0aecd800a7907.html

I think that this devices support the basic Wireless
Operation but not the TKIP+MIC. What do you think?

Regards,
Camillo

 --- "Rosenhan, David"
<David.Rosenhan () swiftbrands com> ha scritto: > True,
Cisco was one of the first vendors to even

make it available.
WiFi or the IEEE hadn't come out with any true
standard yet so Cisco
basically built their own, this is why you can't use
another vendors
card and have TKIP with MIC and WEP enabled on a
Cisco AP.  But I am
right when I say that no other card (that I have
tried or that I know
of) then a Cisco card will work with a Cisco AP
running WEP+TKIP+MIC. 

However with the new IBM T40 built in wireless card
you can use the new
Cipher suite Cisco implemented in the IOS code on
the 1200's, 350's and
1100's (after a free download of the software from
the IBM website which
includes IBM's Application software and driver
updates) This integrates
WPA with TKIP using the IEEE standard, it also works
with Cisco LEAP and
with regular EAP.  

There is an option above the Cipher suite option
that is Cisco
proprietary MIC and TKIP used with WEP in the IOS
code.  I have spent
countless hours testing all of this so if you need
more info then let me
know.

David Rosenhan, CCNP
Information Technology


-----Original Message-----
From: Rosado, Rafael (Rafael)
[mailto:rarosado () lucent com] 
Sent: Friday, March 05, 2004 6:32 AM
To: Rosenhan, David; Camillo Bucciarelli
Cc: security-basics () securityfocus com;
shankarnarayan.d () netsol co in
Subject: RE: 802.1x and PEAP

David,

I disagree with your comment about TKIP and MIC
being proprietary.  TKIP
and
MIC are part of the Wifi Alliance's interim solution
to WEP deficiencies
which are a subset of the Wifi Protected Access
solution of IEEE 802.11i
(still in draft, expected to be ratified sometime
2nd-3rd QTR 2004).
Cisco
has a proprietary version of TKIP, but it is based
on the framework
estabished by the WiFi Alliance. 

Rafael Rosado, CISSP, CISA
IT Security Manager
Lucent Technologies
IT Infrastructure - Network Design
2400 SW 145th Avenue 
Miramar, Florida 33027 
Office: 954-885-2176 
Facsimile: 954-885-3861 
Email: rarosado () lucent com 

This electronic mail message contains information
belonging to Lucent
Technologies, which may be confidential and/or legal
privileged. The
information is intended only for the use of the
individual or entity
named
above. If you are not the intended recipient, you
are hereby notified
that
any disclosure, printing, copying, distribution, or
the taking of any
action
in reliance on the contents of this electronically
mailed information is
strictly prohibited. If you receive this message in
error, please
immediately notify us by electronic mail and delete
this message.

-----Original Message-----
From: Rosenhan, David
[mailto:David.Rosenhan () swiftbrands com] 
Sent: Thursday, March 04, 2004 3:18 PM
To: Camillo Bucciarelli
Cc: security-basics () securityfocus com;
shankarnarayan.d () netsol co in
Subject: RE: 802.1x and PEAP

Camillo,

Broadcast key rotation can only be done with an
authentication server. 

TKIP and MIC are Cisco proprietary, if you have an
AP running VXWorks
and
not IOS they you won't get a different vendors card
other then a 340 or
350
card to work with TKIP and MIC, period, even if you
upgrade to IOS a
different vendors card will not work with TKIP and
MIC, but there are
other
options with IOS.

If you upgrade to IOS on your AP (1200's and 350
AP's are up-gradable to
IOS) then you have some new options, you can now use
new IEEE standards
like
WPA, the problem is the manufacturers card has to
support it.  WPA is
really
new, even with Cisco 340 and 350 cards you have to
use a separate piece
of
software (Like the Funk Odyssey client) to use WPA
pre-shared keys.
IEEE
also included TKIP with WPA and you don't need a
server to use it with
the
new IOS software on the 1200 and 350 AP's.
Plus there are options for EAP with WPA and
broadcast key rotation with
authentication to a RADIUS server (Cisco has doc's
that talk about how
the
ACS server works with all of this on their website).

Thanks!

David Rosenhan, CCNP
Information Technology


-----Original Message-----
From: Camillo Bucciarelli
[mailto:camillobucciarelli () yahoo it]
Sent: Thursday, March 04, 2004 8:43 AM
To: shankarnarayan.d () netsol co in
Cc: security-basics () securityfocus com
Subject: RE: 802.1x and PEAP

Can I  use these features(Enhanced MIC verification
for WEP, Temporal
Key
Integrity Protocol, Broadcast WEP Key rotation) with
a non-cisco
wireless
adatpter?
Such as a 3com wireless PCMCIA? 
Actually I've tried a cisco aironet 340 wireless
card.

Regards,
Camillo Bucciarelli

 --- shankarnarayan.d () netsol co in ha scritto: >
This can be done best
on
the wireless networks

having AP's from Cisco. The
others are still in the process of accomplishing

the same on their

Access Points (most have done it, some are yet to

accomplish the

same). The broadcast key is negotiated for the

first time and then the

same is changed at periodic intervals

(configurable by an

administrator). The old broadcast key is used to

encrypt the new key

and the same is broadcast out to all the clients

on the access point

at the expiry of the administrator defined time

limit. On a Cisco you

would use the following commands on the Aironet

1100/ 1200 (with IOS)

in order
 
BM_1036542configure terminal
BM_1036548
interface dot11radio { 0 | 1 }
 
broadcast-key change seconds

=== message truncated === 

=====
Camillo Bucciarelli
 



______________________________________________________________________
Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati,
l'antivirus, il filtro Anti-spam
http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

802.1x and PEAP Camillo Bucciarelli (Mar 02)
- <Possible follow-ups>
- RE: 802.1x and PEAP shankarnarayan . d (Mar 03)
  - RE: 802.1x and PEAP Camillo Bucciarelli (Mar 03)
- RE: 802.1x and PEAP Camillo Bucciarelli (Mar 04)
- RE: 802.1x and PEAP Rosenhan, David (Mar 04)
- RE: 802.1x and PEAP Rosado, Rafael (Rafael) (Mar 08)
- RE: 802.1x and PEAP shankarnarayan . d (Mar 08)
- RE: 802.1x and PEAP Rosenhan, David (Mar 08)
  - RE: 802.1x and PEAP Camillo Bucciarelli (Mar 08)
- RE: 802.1x and PEAP Rosenhan, David (Mar 08)
- RE: 802.1x and PEAP shankarnarayan . d (Mar 08)
- RE: 802.1x and PEAP Jason Humes (Mar 08)
- Re: 802.1x and PEAP balinsky (Mar 29)