simple radius auth in school??

Stefan Winter stefan.winter at restena.lu
Tue Jan 20 12:13:16 CET 2009


Hi,

> we have some new Edimax EW-7209APg, that support RADIUS Auth with EAP/MD5.
> 1) How can I setup that system to make it as simple as possible for our
> teachers.
>   

Using EAP is a good idea, but EAP-MD5 in particular is a bad one. Some
recent supplicants won't allow you to use EAP-MD5 any more, since it
doesn't support mutual authentication.
The good thing is: the EAP type used is none of the Access Point's
business. If it can do EAP-MD5, it can also do "sane" EAP types like
TTLS or PEAP.

> We don't need ssl or WAP or a splitted connection, where WLAN access is
> yust granted to the intra but not internet or vis-versa.
>   

You should be careful with such statements; if you have a few clever
pupils in your school, you can almost bet they will go to some length to
discover the teacher's password. Securing the credentials with SSL, and
securing the traffic over-the-air with WPA or WPA2 is a good thing to
consider.

> I want to have my wired hosts and the wlan-hosts in one net (e.g.
> 192.168.10.0), no VLAN.
> As simple as possible, people with username/password can access the net
> wireless, wired clients are always on the net.
>   

EAP-PEAP and EAP-TTLS both support username/password operation.

> 2) Is there a "best practice guide" for this kind of situation??
>   

Google for "configuring PEAP freeradius" should give you some good
starting points. This has been done hundreds of times. If your school
belongs to higher ed and you are connected to BELNET, consider joining
eduroam ( http://www.eduroam.be/ , http://www.eduroam.org/ ). There are
plenty of experts around who have done PEAP in eduroam.

> 3) Do I have to install a captive-portal??
>   

A captive portal will make it easy for teacher's access credentials to
be intercepted or phished. It will not secure the connection
over-the-air. It requires your teachers to enter their credentials every
time they want to (re-)connect.
So, no, don't install a captive portal. Use WPAx+RADIUS.

> 4) The EW-7209APg has a buildin RadiusServer, but I didn't manage to
> connect a laptop wireless to it, how is this done. (with no auth it
> works), but I don't understand what I have to do on the laptop to show me
> some kind of window to enter username and password, or is this done as
> some kind of dialup.
>   

This mailing list is about FreeRADIUS. I'm sorry that your gear doesn't
work as you expect, but please don't ask us questions about an unrelated
product.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473




More information about the Freeradius-Users mailing list