conecpt question

[Kris Benson]

FreeRadius users mailing list <freeradius-users at lists.freeradius.org> on
August 11, 2005 at 15:23 -0800 wrote:
>what i am dreaming of (at least regarding radius ;-) ):
>- wlan with wpa/802.1x using freeradius
>- clients mostly windows xp, several mac os x, few linux (unimportant
>right now)
>- the normal users (known to the local unix network the
>accesspoint/switch is
>connected to via nis or (some day) ldap) can access easily just with their
>username and password, if possible without client certificates (to keep
>things
>simple for the user)
>- some special 'accounts' (for guests etc.) in the freeradius users files
>
>can this be realized with freeradius?
>as far as i understand the conecpts behind this all this means a have to
>use
>peap, eap/ttls or eap/mschap-v2, am i right?
>
>has anyone set up something like this and can help me with some ideas,
>hints
>about trap-doors and other trouble ahead? or even some example
>configuration
>files?

I've done something similar.

First off, if your passwords are stored using irreversible encryption
(e.g. Unix passwd file), you are only going to be able to use
EAP-TTLS/PAP.  Reason being that both PEAP and MSCHAPv2 require a
challenge-response type mechanism, where the server has the plaintext
password available to it (either by reversible encryption or plaintext).

For EAP-TTLS, WindowsXP supplicants will either be installed with the
wireless card (in the case of the newer Intel ones) or you'll have to pick
up SecureW2.  Both options work quite well.

You don't need client certs with EAP-TTLS.

The MacOS X.2 (or better) with latest patches will do TTLS builtin.

There is a supplicant available for Linux, too -- Xsupplicant, courtesy of
the Open1x project.

Let me know if you need any other tips or tricks.

-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)