Hi there, n message <20080420183618.69235CBE80@ws5-11.us4.outblaze.com>, Si St <sigbj-st@operamail.com> writes
----- Original Message ----- From: "David Wood" <david@wood2.org.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: the newbie on radiustesting strikes again Date: Sun, 20 Apr 2008 01:00:42 +0100
Hi,
Ivan has already given you much good advice. I wanted to add a few comments.
In message <20080419222236.5BED97B8F8@ws5-10.us4.outblaze.com>, Si St <sigbj-st@operamail.com> writes
The Router supports EAP/WPA-Enterprise(has a box for this choice;) Automatic (WPA or WPA2), TKIP and AES
I would be very surprised if the RADIUS functionality on the router supports anything other than the wireless access point. It sounds like you have a consumer level unit - not an enterprise level router/firewall here.
You are most probably 100% right In a prevoius mail I told this router to be a DLINK DIR-635 ftp://ftp.dlink.se/Products/dir-products/dir-635/Documentation/DIR-635_m anual_ww.pdf
Thanks for that - a quick glance confirms it to be a consumer level unit and the RADIUS functionality is limited to the wireless access point, as I thought.
If so, all you can do with RADIUS is to control access to your wireless network - the Authentication and Authorisation of AAA. Most consumer level units do not support Accounting - though some do. If your router doesn't support accounting, there's no point wasting any time setting up accounting in FreeRADIUS!
Which will practically mean access to the router only And the router cannot handle Accounting that will mean giving user names and passwords
Correct - you can use user names and passwords with PEAP, or digital certificates with EAP-TLS, to access your wireless network rather than the single shared secret (PSK) of WPA-Personal.
You will not have the RADIUS functionality of more expensive enterprise level wireless access points, such as the ability to return the VLAN to connect the user to from the RADIUS server. There again, if this is a consumer unit, it probably has no VLAN support anyway.
I find only a box for Virtual Server on the router and on Advanced Network only uPnP; not much to go for here.
This is consumer gear - I would be very surprised to see any VLAN support. I doubt you have 802.1Q capable switches anyway (though L2 managed 10/100 switches are inexpensive these days). See http://en.wikipedia.org/wiki/VLAN for more on VLANs.
If you want better management of DHCP, one possibility is a DHCP server that uses an LDAP backend. You could also use LDAP to store user credentials for FreeRADIUS. However, with the size of your network, the added complexity probably isn't worthwhile.
I should just note that Alan's announcement of the DHCP functionality in the CVS HEAD (and presumably 2.0.4 when it is released) will allow you to use FreeRADIUS to hand out IP addresses - though I suspect that the limitations on this experimental module at present will mean that you're better off sticking with your existing DHCP server.
Right. But my intentions here were to see what I could achieve choosing the WPA-Enterprise option alternatively to the WPA-Personal (as the checkboxes on the router call it), and thereby maybe apply the FreeRadius.
Of course - and that is a valuable aim in itself. Bearing in mind that port 1812 is the only one mentioned (and not 1813), I suspect that your router doesn't support accounting. There's no support for handing out IP addresses via RADIUS attributes either.
My question was: Is it really possible for me to do this networking different, and with EAP, and learn something from it? How complicated is this task, and is it possible to do it fairly simple gaining profit from a resultant more secure network? And thus grow in knowledge and experience?
What you're looking to do is entirely possible, and is worthwhile and valuable. It's where I started out with FreeRADIUS. You can set up FreeRADIUS to authorise your wireless users by user name and password, using PEAP (if you want to give it its full name, PEAPv0/EAP-MSCHAPv2). This will give you a log of who accessed your wireless network and when, and you have better granularity in the access control (that is, you can change and revoke passwords for each user separately, rather than having a single shared secret). WPA Enterprise is also stronger, because the PMK is generated from the EAP exchange and lasts the lifetime of the session, rather than being a cryptographic hash of the PSK (which lasts until you change the PSK). If you wish, you can also experiment with EAP-TLS, and learn more about running your own PKI. This will teach you loads about digital certificates, certificate authorities and the like.
So far I have learned a lot more through this mailinglist concerning my aims than I originally expected. They way my questions are answered forces me to think in the right rational way and professionally simpler.
It sounds worthwhile all round, then! Best wishes, David -- David Wood david@wood2.org.uk