New design/deployment of freeradius
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Wed May 22 10:12:25 CEST 2013
Hi,
> I'm new to radius so I have some basic questions regarding the design and
> deployment of our freeradius server.
> We want to use freeradius for our BYOD deployment. We have the following:
> Ubuntu, OpenLDAP, Ruckus Zone Director and a Safe_Connect NAC. Our
> passwords are not clear text in ldap. We would like to avoid client
> certificates and we would like to do dynamic VLAN assignments.
> I'd like to verify that I'm on the right track here with setting up the
> protocols and types to use.
> We have to use PAP because of not having clear text passwords?
> To avoid client certificates, we can use PEAP type of EAP?
those 2 dont go together - you cannot have PAP with PEAP. EAP-TTLS has a PAP method
but then some clients dont have EAP-TTLS ability (and some do with an extra supplicant
installed).
> Also, we have a wildcard domain SSL certificate, can this be used or do we
> have to create a new one for this purpose on the server?
some clients dont like such......but so long as the RADIUS server is signed with certificate
that has the required extensions you'll be okay
> Is there a recommended configuration for this type of deployment? Do you
> have any tips or tricks that would make our deployment go smoother?
?? theres hundreds of ways of deploying. however, so long as your LDAP backend has the entries
that allow you to distinguish between eg a registered device (eg known MAC) or type of ID eg staff
or student, you can do the required policies. FreeRADIUS can return the required reply values
to your kit to instruct the VLAN/WLAN ID/number.
alan
More information about the Freeradius-Users
mailing list