Hi,
I'm using freeradius-1.1.2 on a freebsd server and i've compiled it against openldap-2.3.24 which all went well. I'm attempting to set up secure wireless with WPA2 using our ldap directory for authentication. We have a replica of our directory running on the freeradius server. Originally i had hoped to use some sort of web-redirect-to-an-authentication-page system like you sometimes see in hotels but i can't find anything about that (any information welcome).
"captive portal" - there are several software tools that will do this... eg http://en.wikipedia.org/wiki/Captive_portal most people seem to be moving away from this method as it is riddled with possible security compromises.
After reading around, the best form of authentication i can see would be eap-ttls with pap as the inner protocol. I believe (from comments in the radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now, i've set it up in a way that appears to be mostly right and i *can* authenticate with my username/password in ldap but doing a tcpdump on the radius server worries me. I can see my username passed in the clear in the packets so i'm concerned it's not using tls at all. I told the wireless client to use ttls so i can't understand what's going on.
PAP uses clear text (unencrypted) password authentication. whilst the EAP-TTLS traffic is encrypted (and the PAP lurks inside that encrypted session) when you CAN see the PAP in the clear is when its being sent over to LDAP - so you need to make sure that that communication is encrpyted...either by making sure its configured to use SSL for its communication channel...or simply 'stunnel'ing the traffic.
modules { ldap { server = "localhost" filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" start_tls = no ^^^^^^^^^^^^^^
this!
dictionary_mapping = ${raddbdir}/ldap.attrmap } }
authorize { eap ldap }
alan