Hello everyone I am very new to freeradius and security type environments and I am feeling somewhat out of my depth at the moment. My current situation is that I have a chillispot WIFI setup. A diagram of the current network can be seen at http://www.shooter.co.nz/network.pdf The problem I have with this setup is that unscrupulous people are connecting to the unprotected APs without authenticating and playing games between themselves therefore bogging down our network with their traffic. So what I am wanting to do is dispose of the chillispot server and authenticate the users directly from the APs (WAP54G) using WPA- Enterprise. WPA-Enterprise on the WAP54G is radius authentication with a WPA shared key between the AP and the radius server. I have got the APs talking to the radius server, but it seems the radius server is using the credentials from the PC to authenticate the users. Here is what I would like to do. When a user attempts to connect to the AP, the user is presented with a login screen (much like chillispot), the user logs on and they are connected to the AP and can use the network as expected. If a user cannot authenticate the attempt is logged and the connection attempt to the AP is dropped. This way a user cannot just blindly connect to our network and use bandwidth. Is that type of configuration possible? and if so where would I find information on how it is done? Many thanks in advance for you patience and comments. Regards Fred
On Sun 05 Aug 2007, Fred Zinsli wrote:
Hello everyone
I am very new to freeradius and security type environments and I am feeling somewhat out of my depth at the moment.
My current situation is that I have a chillispot WIFI setup. A diagram of the current network can be seen at http://www.shooter.co.nz/network.pdf
The problem I have with this setup is that unscrupulous people are connecting to the unprotected APs without authenticating and playing games between themselves therefore bogging down our network with their traffic.
So what I am wanting to do is dispose of the chillispot server and authenticate the users directly from the APs (WAP54G) using WPA- Enterprise.
Putting chillispot on each individual AP is also a possibility..
WPA-Enterprise on the WAP54G is radius authentication with a WPA shared key between the AP and the radius server.
I have got the APs talking to the radius server, but it seems the radius server is using the credentials from the PC to authenticate the users.
Thats what it is designed to do.
Here is what I would like to do. When a user attempts to connect to the AP, the user is presented with a login screen (much like chillispot), the user logs on and they are connected to the AP and can use the network as expected. If a user cannot authenticate the attempt is logged and the connection attempt to the AP is dropped.
If you want a web based login screen use chillispot or something similar. If you want to use a PC based supplicant, then WPA is the correct solution.. -- Peter Nixon http://peternixon.net/
On 8/4/07, Fred Zinsli <fred.zinsli@shooter.co.nz> wrote:
Hello everyone
I am very new to freeradius and security type environments and I am feeling somewhat out of my depth at the moment.
My current situation is that I have a chillispot WIFI setup. A diagram of the current network can be seen at http://www.shooter.co.nz/network.pdf
Looks nice :-) The problem I have with this setup is that unscrupulous people are
connecting to the unprotected APs without authenticating and playing games between themselves therefore bogging down our network with their traffic.
Just wondering, that firewall (smooth1) is a smoothwall box? If yes, It's been a while since i've been playing with it, but I remember there was a chillispot mod for it.(check the homebrew forum) Just add an extra nic to that box and try it out. Your wireless will be completely seperated from the rest of the network too this way. Also, as already suggested, you can run chillispot directly from a WRT54GL (maybe WAP54G also, not sure) with alternative firmware, which is probably the most easy solution. ... Here is what I would like to do. When a user attempts to connect to the
AP, the user is presented with a login screen (much like chillispot), the user logs on and they are connected to the AP and can use the network as expected. If a user cannot authenticate the attempt is logged and the connection attempt to the AP is dropped.
That's easy, once you've set up everything, just enable auth. logging in radiusd.conf Kind regards, Yves
participants (3)
-
Fred Zinsli -
Peter Nixon -
YvesDM