xsupplicant and IAS: no longer fire and water
by Matthew Gast
In many corporate environments, the Microsoft infrastructure is well-entrenched. Users and computers are defined in Active Directory, and the Internet Authentication Server (IAS) is a natural front-end. One of the major issues with using xsupplicant is that it has had PEAP support for quite some time, but the PEAP implementation was not interoperable with the IAS PEAP implementation.
This week, I'm at the Interop Labs, volunteering at the LAN Access Security Initiative. One of the major assets of a test event like this is the wide array of hardware and expertise that can be brought to bear on interoperability problems. Most vendors send high-level talent to the staging event, so there's a deep pool of talent and knowledge to work on interoperability problems that come up.
When I learned that Chris Hessing and Terry Simons, two of the three Utah Geeks from the Open1X project were coming, I wanted to work on finding out why interoperability with the IAS PEAP implementation wasn't working. We were able to quickly verify that the PEAP implementation in xsupplicant was essentially functional by testing it against FreeRADIUS, and succeeding. When running against IAS, though, the authentication would die part of the way through the sequence, and there would be no error in the IAS log. (I believe that no error was logged because the authentication sequence never completed, so there was no result to log. Unfortunately, the lack of usable log information makes troubleshooting much more difficult.)
Eventually, by comparing network traces from the FreeRADIUS authentication to the IAS authentication, and enabling EAP-MSCHAP-V2 authentication over the air on IAS, we were able to trace the problem to a set of boundary conditions on transmitting the response. It appears that part of the reason why authentication was failing against IAS is that Microsoft was performing stricter checks against the received authentication frames than other vendors.
One of the key points of this experience is the "reality check" role that open source tools can play. Wireless security standards are a complex beast. One of the key data points we obtained early on was that the xsupplicant PEAP implementation was fundamentally sound, though it had a minor implementation error. At the iLabs, we have a wide variety of implementations to play with, and our copies are donated by vendors as a technology demonstration. Most users will be unable to assemble a similar testbed composed of expensive commerical products, and will instead rely on zero-cost open-source tools such as FreeRADIUS.
Will you be using xsupplicant's PEAP implementation against IAS? Or do you prefer TTLS instead?
Using IAS with xsupplicant?
I appreciate your article and help in contributing to Open1x. However I am currently working really hard to get xsupplicant working with IAS in my corporate environment. Is it possible for you to provide a working xsupplicant.conf file example, and possibly describe converting the certificates from Microsofts certificate services and using those with xsupplicant? Appreciated.