need help & advice getting started with freeradius

daniel knox mail at dknox.co.uk
Mon Apr 6 17:22:43 CEST 2009 

Okies long day trying to deploy radius, i think it might be in a working
state though.

Basically I had to use radius 1.7 something as it was in the repos. If
problems persist Ill try and compile a binary up for the distro they are
using (pclinuxOS). Off topic I agree with people that a server orientated OS
such as centos would make life far easier more often. Anyways PclinuxOS it
is currently. Initially got ldap up and running and local radtest worked
well with a user from the directory, when i tried getting my iphone to
connect problems ensued. quickly worked out that the iphone defaults to
sending a PEAP eap request, which as your documentation states would stop
the ldap bit as i hadnt touched anything to do with TLS, PEAP etc at that
point.

 I have NTPassword in my ldap directory so i could use PEAP, however maybe
through miss-configuration by me or the fact that my entry does not have a
preceding 0x. Instead it just has 32digits without the preceding two
characters could be why this wasnt working. However my ldap field is set to
max 32chars long so not sure how to append these two characters and changing
alot of entries if i fuzz up will be very bad news.

 So instead went with TTLS. This time i started from scratch as im convinced
by now the config files were probally messed over, and this time when i set
it up i still find that i can query ldap user with radtest locally which is
good. Havnt tried the wireless point yet as the iphone requires a profile
sent to it from the iphone configurator tool to set TTLS. However it also
asks for inner authetication protocol. Ive set this to PAP as im assuming
that ms-chap is going to require NT-password. Is this likely to work or do i
have to do something to configure PAP. I realise if i get TTLS up and
running im going to have to create some deployment stuff to get it out there
but i will cross that bridge when it comes to it.

 Will post up if i get anymore problems tomorrow when i try the profiled
iphone. As if it doesnt work I'm not sure what would be causing these
problems so will send my configs and errors tomorrow.

 Atm the setup is like this: openldap directory and freeradius 1.7 on same
server (xen), freeradius refers to ldap by localhost. Linksys wireless
access point in enterprise mix mode which only has an ip for radius server
and port options. Linksys point added to client.conf. Iphone for testing.

On Sun, Apr 5, 2009 at 10:24 PM, Alexander Clouter <alex at digriz.org.uk>wrote:

> daniel knox <mail at dknox.co.uk> wrote:
> >
> > Lol just actually read some stuff on WPA and learnt abit more about EAP.
> I
> > realise now that TTLS does not require client certificates like I
> previously
> > thought only the server. Apologies for this miss understanding. Although
> I
> > do realise now that SecureW2 would be required to give my Windows users
> the
> > ability to access this. Although this may not be to difficult to
> distribute
> > to them I would have to look into these possible issues.
> >
> You use server certificates for PEAP too, it's madness not to use a
> server certificate in either case.  If you do not then the clients are
> more than happy to dish out user credentials to anyone who asks.
>
> I prefer TTLS as although PEAP is already built into Mac OS X and
> Windows, neither can be easily autoconfigured with some kind of priming
> script[1].  We use TTLS as it's not braindead[2] and in the case of
> SecureW2 it can be trivially autoconfigured.  If you tie it in with a
> NSIS script then you can do some *really* nice things for wireless
> workstation priming for your Windows userbase.
>
> Cheers
>
> [1] not that I know of anyway, and Mac OS X 10.5 seems to have dropped
>        support for wireless profile importing
> [2] well from my perspective, I'm sure implentators out their might say
>        otherwise
>
> --
> Alexander Clouter
> .sigmonster says: Neil Armstrong tripped.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090406/922e9be8/attachment.html>

More information about the Freeradius-Users mailing list