need help & advice getting started with freeradius

daniel knox mail at dknox.co.uk
Sun Apr 5 22:41:08 CEST 2009


Lol just actually read some stuff on WPA and learnt abit more about EAP. I
realise now that TTLS does not require client certificates like I previously
thought only the server. Apologies for this miss understanding. Although I
do realise now that SecureW2 would be required to give my Windows users the
ability to access this. Although this may not be to difficult to distribute
to them I would have to look into these possible issues.

On Sun, Apr 5, 2009 at 9:35 PM, daniel knox <mail at dknox.co.uk> wrote:

> Okie, I've spent some of this weekend looking into this and some of the
> files included in freeradius (havnt had a chance to play around testing it
> though).
>  Am I right in guessing once i've configured the ldap group membership
> filter, i include the unlang statement:
>
> if (Ldap-Group == whatever) {
>     reject
> }
> As Ivan suggested in my radiusd.conf file in the authorise part?
>
>  Second up im still juggerling between what EAP type to use. It seems more
> an more PEAP is going to introduce a level of complexity which I would like
> to avoid. Whats the views of this list on what extension will be most
> suitable in this case. As i mentioned previously I would like to keep admin
> work down as much as possible in terms of certificates due to currently many
> of our users have to constantly come to ICT for help configuring their
> wireless. Hence the ideal of them just needing to use their username and
> password to firstly make it considerably easier for a user to get onto the
> wireless and to secondly increase the security of our wireless network. Also
> is the use of a different EAP type going to cause difficulty in terms of
> client compatability. Aka is a user with his poor windows laptop going to
> have to install something extra just to communicate with the wireless, or
> should it just be as simple as user sees wireless network, chooses it, it
> prompts for username and password and off he goes. Do I have to use a EAP
> type or can i get away with not having one / is this very ill advised?
>  Basically if you were in my position how would you go about it, is
> probally what I'm asking for lols. I admit wireless security is something I
> have not gone very deep into before.
>
>  Many thanks again.
>
> On Sun, Apr 5, 2009 at 8:45 PM, Alexander Clouter <alex at digriz.org.uk>wrote:
>
>> tnt at kalik.net wrote:
>> >
>> >>In my scenario I would like to use PEAP if possible but not require the
>> user
>> >>client to have a certificate, just the radius-server (which is why i
>> believe
>> >>the TTLS solution will  be in-efficient here as i would have to deal
>> with
>> >>handy out client certificates to hundreds of users). And to be asked
>> thern
>> >>their username and password to authticate onto our wireless. Would
>> combining
>> >>these two guides work to get these two intial sets up and running?
>> >>
>> >
>> TTLS is *not* an admin hassle, TLS is (client side certificates).  TTLS
>> means you put a verifiable server certificate on the *server* end that
>> the client can verify and know who it is talking to, then you can safely
>> even send the password in plain text.
>>
>> > PEAP will require passwords stored as clear text or nt hash. If your
>> > passwords are stored as something else they will have to be changed.
>> >
>> ...or...you use EAP-TTLS and get the client to send the passwords in
>> plaintext and then do an LDAP bind() to check if the credentials are
>> correct.
>>
>> Once you are doing this you can one day get around to (if you want to)
>> putting in plaintext passwords into your LDAP database that FreeRADIUS
>> can use and abuse.
>>
>> > As for combining freeradius and ldap prehaps you should read
>> > freeradius documentation first (wiki or doc/rlm_ldap from the
>> > download) and then see is there any need to bother wiyh third party
>> > stuff.
>> >
>> Well PEAP without AD means you have to jump through a lot of hoops
>> manually configuring each client by hand.  With something like SecureW2
>> you include a 'seeding' file and it will do all the hard manual priming.
>>
>> This is all overlooking that PEAP is horrible as if you want to play
>> with OTP's or other fun custom things, good luck doing that with PEAP.
>>
>> Cheers
>>
>> --
>> Alexander Clouter
>> .sigmonster says: Marriage causes dating problems.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090405/b11a2f5e/attachment.html>


More information about the Freeradius-Users mailing list