AP with built-in authentication

03-12-2007, 10:26 PM

Hi,

In conserving the expenses of deploying an authentication server, I'm
seeking an access point with
local username/password authentication. LEAP or EAP-FAST would work;
though, I don't believe XP
supports those EAP methods. Is there an AP that allows installation
of a certificate and uses PEAP?

regards
J.E

03-13-2007, 01:49 AM

On 12 Mar 2007 16:26:35 -0700, "nordic mist" <(E-Mail Removed)> wrote in
<(E-Mail Removed) om>:

>In conserving the expenses of deploying an authentication server, I'm
>seeking an access point with
>local username/password authentication. LEAP or EAP-FAST would work;
>though, I don't believe XP
>supports those EAP methods. Is there an AP that allows installation
>of a certificate and uses PEAP?

ZyXEL G-2000 Plus
<http://www.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161 313&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E>
or <http://tinyurl.com/2z794g>
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

03-13-2007, 01:13 PM

I believe the Cisco Aironet's can now be configured to use a local
database to do this authentication.

Chris

03-13-2007, 08:25 PM

On 13 Mar 2007 07:13:07 -0700, "NetSteady" <(E-Mail Removed)> wrote:

~ I believe the Cisco Aironet's can now be configured to use a local
~ database to do this authentication.
~
~ Chris

Aironet APs can be configured with a local RADIUS server, but they only
support LEAP and EAP-FAST, not PEAP, which is what the o.p. was looking for.

Aaron

03-14-2007, 02:32 AM

Aaron Leonard <(E-Mail Removed)> writes:

> On 13 Mar 2007 07:13:07 -0700, "NetSteady" <(E-Mail Removed)> wrote:
>
> ~ I believe the Cisco Aironet's can now be configured to use a local
> ~ database to do this authentication.
> ~
> ~ Chris
>
> Aironet APs can be configured with a local RADIUS server, but they only
> support LEAP and EAP-FAST, not PEAP, which is what the o.p. was
> looking for.

To clarify do you mean they won't do PEAP when going to a local radius
server?

I ask because I worked with an 1130AG that was using PEAP mschapv2
auth several months ago, but I think it was authing against a remote
server, not local.

--
Todd H.
http://www.toddh.net/

03-14-2007, 08:41 PM

~ > ~ I believe the Cisco Aironet's can now be configured to use a local
~ > ~ database to do this authentication.
~ > ~
~ > ~ Chris
~ >
~ > Aironet APs can be configured with a local RADIUS server, but they only
~ > support LEAP and EAP-FAST, not PEAP, which is what the o.p. was
~ > looking for.
~
~ To clarify do you mean they won't do PEAP when going to a local radius
~ server?

Correct, the local RADIUS server feature in the AP does not support PEAP.

~ I ask because I worked with an 1130AG that was using PEAP mschapv2
~ auth several months ago, but I think it was authing against a remote
~ server, not local.

Must have been.

Aaron

03-29-2007, 04:45 PM

On Mar 12, 7:49 pm, John Navas <spamfilt...@navasgroup.com> wrote:
> On 12 Mar 2007 16:26:35 -0700, "nordic mist" <jef...@gmail.com> wrote in
> <1173741995.030689.305...@8g2000cwh.googlegroups.c om>:
>
> >In conserving the expenses of deploying anauthenticationserver, I'm
> >seeking an access point with
> >local username/passwordauthentication. LEAP or EAP-FAST would work;
> >though, I don't believe XP
> >supports those EAP methods. Is there anAPthat allows installation
> >of a certificate and uses PEAP?
>
> ZyXEL G-2000 Plus
> <http://www.zyxel.com/web/product_family_detail.php?PC1indexflag=20040...>
> or <http://tinyurl.com/2z794g>
> --
> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Thanks for the suggestion. This model and the G-3000H both feature
built-in Radius service allowing
PEAP authentication. Though there appears to be a limit of
registering 32 users in the local database.
Are there other APs that allow more or can this be adjusted on the
Zyxel?

The reason why I'm seeking local authentication is the potential to
exploit the APs OS/firmware if
no or little (MAC-based) authentication occurs. I've not researched
this scenario in depth, but is
it possible that an exploitable bug exists in a APs code, where an
attacker can connect and exploit?
I thought of this possibility in the case where the AP hands off
authentication to an external Radius service-
before the auth occurs, an attacker has communication with the AP.

J.E

03-29-2007, 05:12 PM

On 29 Mar 2007 09:45:31 -0700, "nordic mist" <(E-Mail Removed)> wrote in
<(E-Mail Removed) .com>:

>On Mar 12, 7:49 pm, John Navas <spamfilt...@navasgroup.com> wrote:
>> On 12 Mar 2007 16:26:35 -0700, "nordic mist" <jef...@gmail.com> wrote in
>> <1173741995.030689.305...@8g2000cwh.googlegroups.c om>:
>>
>> >In conserving the expenses of deploying anauthenticationserver, I'm
>> >seeking an access point with
>> >local username/passwordauthentication. LEAP or EAP-FAST would work;
>> >though, I don't believe XP
>> >supports those EAP methods. Is there anAPthat allows installation
>> >of a certificate and uses PEAP?
>>
>> ZyXEL G-2000 Plus
>> <http://www.zyxel.com/web/product_family_detail.php?PC1indexflag=20040...>
>> or <http://tinyurl.com/2z794g>

>Thanks for the suggestion. This model and the G-3000H both feature
>built-in Radius service allowing
> PEAP authentication. Though there appears to be a limit of
>registering 32 users in the local database.
>Are there other APs that allow more or can this be adjusted on the
>Zyxel?

I think that's it with ZyXEL.

At one time it was possible to use TinyPEAP on certain routers, but that
now appears to be dead.

I think this has been requested as an enhancement to DD-WRT, but I don't
think it's actually happened.

>The reason why I'm seeking local authentication is the potential to
>exploit the APs OS/firmware if
>no or little (MAC-based) authentication occurs. I've not researched
>this scenario in depth, but is
>it possible that an exploitable bug exists in a APs code, where an
>attacker can connect and exploit?
>I thought of this possibility in the case where the AP hands off
>authentication to an external Radius service-
>before the auth occurs, an attacker has communication with the AP.

I seriously doubt it. I see no real downside in using an external
RADIUS service.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_How_To>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
WEP authentication, why WEP authentication scheme is flawed and how it can be attacked	Johnny	Wireless Internet	3	08-02-2006 03:44 AM
router contains a built-in switch versus router without a built-in switch	jrefactors@hotmail.com	Network Routers	37	09-19-2005 08:55 PM
router contains a built-in switch versus router without a built-in switch	jrefactors@hotmail.com	Windows Networking	39	09-19-2005 08:55 PM
Built in filter	Fitzy_bhoy	Broadband	2	02-21-2004 09:29 PM
AP with built in modem?	'Captain' Kirk DeHaan	Wireless Internet	2	02-05-2004 12:49 AM