Windows XP + Novell + 802.1x + OS X

Unanswered Question
Dec 8th, 2008


I work for a poor inner-city school district and I've got the above environment. I've inherited the network and the current config is a 64 character WPA2 key. This is untenable and I really need to find a solution using the default supplicant and/or some other fancy footwork to lose the key.

The requirements require me to NOT require the users to authenticate more than one AND to allow them to authenticate wirelessly somehow to allow Novell authentication before granting access to the wireless network. I've played around with ACLs on my WLC's to only allow access to the wireless network to specific servers to grant authentication but I'm at a loss as to what to do after they authenticate -- other than require them to connect via VPN to get access. This is not ideal as the CIO is insistent that we NOT impact the users.

Has anyone made this work with the default supplicants and if so, please give me guidance. I'm at a loss and I'm willing to read. ;)

I just wish there was a way to negotiate WPA2 encryption after a webauth or something. That would be so useful.

Thanks ahead of time for any help you can provide.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dennischolmes Wed, 12/10/2008 - 15:00

Easiest way is to buy the Cisco Supplicant. Tell the CIO that unfunded mandates are what got this country into the trouble its in now. ;)

JEFFREY SESSLER Wed, 12/10/2008 - 17:50

Cloudpath Networks has a product called XpressConnect. It's a web-based setup assistant for OSX and Windows that automates the setup of the local wireless. It can deploy keys, certificates, etc. to the client. Client can connect to an open SSID that provides just a link to the setup. The program will then setup everything for say WPA2 PSK or WPA2 Enterprise, switch them on to the new WPS2-enabled SSID, and away they go. If you move to WPA2/Ent, you can authenticate against eDir.

augie2005 Tue, 12/30/2008 - 07:12

'If you move to WPA2/Ent, you can authenticate against eDir.'

Where is the problem of novell edirectory not natively supporting MSCHAP solved in this scenario? Only reason supplicants are needed is because XP cant do PEAP/GTC, OSX works great (since it has native PEAP/GTC). Is there something I'm missing? I'm trying to solve authenticating against EDir myself. Seems to be the fact that XP needs a supplicant and there is no other solution (using 802.1x, WPA, and ACS)

thanks for any input, I'm dead in the water...

JEFFREY SESSLER Tue, 12/30/2008 - 07:53

For eDir, you'd install FreeRadius with the eDir extensions installed. This allows FreeRadius to access a user's Universal Password which it can then use for MSCHAPv2 authentication.


augie2005 Tue, 12/30/2008 - 07:56

thats what i was afraid of! One thing that isnt clear though - with FreeRadius, I'd ditch ACS then, right?


dennischolmes Tue, 12/30/2008 - 08:04

Yes, and support for FR is nonexistant. I really suggest a supplicant of some kind. Odyssey by Juniper or the Cisco Supplicant tied to either a ACS RADIUS or bounced off of eDir.

augie2005 Tue, 12/30/2008 - 08:13

Supplicants work fantastically. At $48 a pop, gonna set us back ~58k. which will never happen.

the free XSupplicant is working, but appears to have different anomalies between various machines - we need to test it a bit more.

How are the costs for the Cisco/Juniper supplicants justified? Its a pricey option....

JEFFREY SESSLER Tue, 12/30/2008 - 08:18

I agree, supplicants are great, but there is nothing better than being able to support the lowest-common denominator that's built-in to the OS.

If you can support PEAP-MSCHAPv2, then you're home-free for every modern OS out there including Windows XP.

JEFFREY SESSLER Tue, 12/30/2008 - 08:16

Yes, unless ACS has a way to talk to another down-stream radius server. It works great and there is _plenty_ of support for free radius.

I've been told my my Cisco SE that the next version of ACS is "supposed" to have eDir Universal Password support with MSCHAPv2.

I believe radiator radius also has support for eDir and universal password.


augie2005 Tue, 12/30/2008 - 08:44

Jeff, great info so far...thanks...

So, a couple more things. Do you need to install Freeradius on a SLES Novell box, or can you install it on another linux distro not running edirectory? Basically, can a stand alone FreeRadius install on linux replace the ACS and use Edir as a backend using LDAP? Or, does FreeRadius need to be installed on SLES Novell and require the schema get extended?

JEFFREY SESSLER Tue, 12/30/2008 - 10:58

I'm not sure about non-SLES, but I don't see why not since you'll be pointing FreeRadius at a eDir LDAP server, so the linux distro doesn't even need to have eDir on it.

Take a look at this:

Now keep in mind that ACS does a lot more than just Radius authentication given it has policy control and other options. If you don't need the other stuff ACS does, then FreeRadius against eDir will do what you need to do.

I'd also check with your local Cisco rep/se to see if you can get access to the ACS 5.x beta.



This Discussion



Trending Topics - Security & Network