Brian Jepson’s Weblog

The Tao of Mac: Why GarageBand
Matters

Tom
Hoffman: “Sitting in a presentation by Larry Berger from Wireless
Generation on their products for taking reading and math assessment
input on Palms and providing visualization and other services via the
web.”

Teal
Sunglasses: “MenuMeters
is a neat little utility that puts CPU, Memory usage, disk and Network
into little menu items on the bar.”

Mark Frauenfelder: Why can’t Homeland Security tell the difference between Al Quaeda and my six-year-old daughter?

Dave Taylor: “All of my author friends are familiar with a company called bookscan, that purports to offer unbiased quantified data about book sales throughout all outlets. But do they?”

Shawn
Wallace: “…social momentum is a sign of a healthy public life; people
produce a great deal, artistically and otherwise; individuals find
themselves learning more (and memorizing less) and maybe even becoming a
little more understanding and compassionate.”

Glenn
Fleishman points to something that’s very dear to me: “coffee
houses were often the mailing addresses for folks before street
addresses were common.” In the early 1990s, when I was still in
college, I fell in love with the idea of third places
as described in Ray Oldenburg’s The
Great Good Place. So my friends and I put together something called
the Cafe de la Tete. Yeah, the name was a little pretentious, but the
goal was to offer people something really unique–a place to live when
you’re not at work or at home, a place with hopefully as few pressures
as possible.

It was really great fun; we didn’t try to make any money at it, and some
great stuff grew out of that: zines, performance art, a good connection
between the URI scene and what was going on at AS220. The Cafe kept going for a while,
under the direction of various people. It’s not around any more, but
its spirit touched a lot of people, and I think we’re all more
well-rounded for it.

This is one of those things where I was way over my head. I’ve been
trying to set up an 802.1x-protected access point at home with support
for EAP, PEAP, and EAP-TTLS. Why? So I could connect to it from Mac OS
X and Windows XP and know what it feels like. (it’s one thing to write
“Windows XP supports 802.1x”, it’s another thing to know it).

Andreas
Wolf’s FreeRADIUS packages worked great for me on Mac OS X. I
didn’t need MySQL, so I uncommented the sql entries in
/usr/local/freeradius/etc/raddb/radiusd.conf and added a user to
/usr/local/freeradius/etc/raddb/users:

"bjepson"       Auth-Type := Local, User-Password == "bjepson"
                Reply-Message = "Hello, %u"

Next, I connected my D-Link 900AP+ and my Mac to the same hub my
router’s plugged into. My network is 192.168.254.0, but I set up the Mac
and the 900AP+ as 192.168.0.1 and 192.168.0.50, respectively. I told
the 900AP+ that the RADIUS server was on 192.168.0.1, set the shared
secret to “testing123″, and added an entry for the 900AP+ in
/usr/local/freeradius/etc/raddb/clients.conf:

client 192.168.0.50 {
        secret          = testing123
        shortname       = wifi
        nastype     = other
}

Then, I started FreeRADIUS with sudo
/usr/local/freeradius/sbin/radiusd -X and tried to connect from a Mac using
802.1x. That worked OK, but it wasn’t as easy from Windows XP. Windows
XP wanted to use PEAP, and for that, I had to set up a few certificates.
I followed the FreeRADIUS
EAP/TLS - WinXP HOWTO, but didn’t bother with the CA.clt, since I
wanted to authenticate the client using a username and password. I
goofed up at first and got this error when I tried to launch FreeRADIUS:

908:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: CERTIFICATE
908:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
decrypt:evp_enc.c:438:
908:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421:
908:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:ssl_rsa.c:707:

It turns out that I had the wrong private key password in
radiusd.conf; I had second-guessed the instructions, and when the
CA.svr script asked me for a challenge password (A challenge
password []:), I had made one up and figured I was supposed to
replace “whatever” with what I actually used. So, the next time
through, I didn’t supply a challenge password, and set the private key
password to exactly what it said in the HOWTO:

private_key_password = whatever

Connecting
So, to connect from Windows XP, I right-clicked on the Wireless network
connection and selected View Available Wireless Networks. I clicked
Advanced, selected the network in the list, and then clicked Configure. Then
I selected the Authentication tab, made sure “Enable IEEE 802.1x
authentication” was selected, and chose PEAP from EAP type. I clicked
Properties and:

1. Deselected “Validate server certificate,” since my certificate was
   self-signed.

2. Clicked the Configure next to the authentication method
   (which was set to EAP-MSCHAP v2), and deselected “Automatically use my
   Windows logon name…”

Next, I clicked OK to dismiss the remaining windows, and a notification
bubble appeared telling me to “select a certificate or other credentials
for connection.” I clicked it, supplied the user name and password
(bjepson/bjepson) I had
specified in the /usr/local/freeradius/etc/raddb/users file, and
that got me in!

Continuing my theme of running a RADIUS server on different operating
systems today, I tried to set up Windows 2000 Server’s Internet
Authentication Services as the RADIUS authentication for a D-Link
DWL-900AP+ (a cheap Wi-Fi access point that does 802.1x). I got
stuck trying to configure PEAP–it kept telling me that ” A certificate
could not be found that can be used with this Extensible Authentication
Protocol”. Google
Groups to the rescue.

This
tip worked for me. (That is, it got it to compile; I’ll update this
entry if I have to do anything special to make it work).
[Update] It didn’t work, but this
looks promising.