FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 11, 2005 at 15:23 -0800 wrote:
what i am dreaming of (at least regarding radius ;-) ): - wlan with wpa/802.1x using freeradius - clients mostly windows xp, several mac os x, few linux (unimportant right now) - the normal users (known to the local unix network the accesspoint/switch is connected to via nis or (some day) ldap) can access easily just with their username and password, if possible without client certificates (to keep things simple for the user) - some special 'accounts' (for guests etc.) in the freeradius users files
can this be realized with freeradius? as far as i understand the conecpts behind this all this means a have to use peap, eap/ttls or eap/mschap-v2, am i right?
has anyone set up something like this and can help me with some ideas, hints about trap-doors and other trouble ahead? or even some example configuration files?
I've done something similar. First off, if your passwords are stored using irreversible encryption (e.g. Unix passwd file), you are only going to be able to use EAP-TTLS/PAP. Reason being that both PEAP and MSCHAPv2 require a challenge-response type mechanism, where the server has the plaintext password available to it (either by reversible encryption or plaintext). For EAP-TTLS, WindowsXP supplicants will either be installed with the wireless card (in the case of the newer Intel ones) or you'll have to pick up SecureW2. Both options work quite well. You don't need client certs with EAP-TTLS. The MacOS X.2 (or better) with latest patches will do TTLS builtin. There is a supplicant available for Linux, too -- Xsupplicant, courtesy of the Open1x project. Let me know if you need any other tips or tricks. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)