Re: the newbie on radiustesting strikes again
----- Original Message ----- From: "David Wood" <david@wood2.org.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: the newbie on radiustesting strikes again Date: Sun, 20 Apr 2008 01:00:42 +0100
Hi,
Ivan has already given you much good advice. I wanted to add a few comments.
In message <20080419222236.5BED97B8F8@ws5-10.us4.outblaze.com>, Si St <sigbj-st@operamail.com> writes
The Router supports EAP/WPA-Enterprise(has a box for this choice;) Automatic (WPA or WPA2), TKIP and AES
I would be very surprised if the RADIUS functionality on the router supports anything other than the wireless access point. It sounds like you have a consumer level unit - not an enterprise level router/firewall here.
You are most probably 100% right In a prevoius mail I told this router to be a DLINK DIR-635 ftp://ftp.dlink.se/Products/dir-products/dir-635/Documentation/DIR-635_manual_ww.pdf
If so, all you can do with RADIUS is to control access to your wireless network - the Authentication and Authorisation of AAA. Most consumer level units do not support Accounting - though some do. If your router doesn't support accounting, there's no point wasting any time setting up accounting in FreeRADIUS!
Which will practically mean access to the router only And the router cannot handle Accounting that will mean giving user names and passwords
You will not have the RADIUS functionality of more expensive enterprise level wireless access points, such as the ability to return the VLAN to connect the user to from the RADIUS server. There again, if this is a consumer unit, it probably has no VLAN support anyway.
I find only a box for Virtual Server on the router and on Advanced Network only uPnP; not much to go for here.
There will probably for all practical purposes be only wireless clients:3 laptops and one workstation,but I have configured 2 IP addresses for each laptop, one for their wireless card the other address for the wired/cabled card in case they will be needed. The access of the clients are controlled allowing only the specific MAC addresses of each machine to connect to the router.(Routers Netfilter) The machines have also fixed IPs reserved.
I very much doubt that your router can make any use of RADIUS for handing out IP addresses, especially if the only mention of RADIUS is in connection with the wireless features.
Handing out IP addresses via RADIUS is most commonly done with NASes (dial in servers), VPN servers and CMTS (cable modem termination systems).
DHCP is more typical for bridged scenarios such as wireless networks. Your credentials get you connected to the wireless network, at which point the computer gets an IP address and related information (gateway address, DNS server(s), possibly WINS servers) via DHCP.
If you want better management of DHCP, one possibility is a DHCP server that uses an LDAP backend. You could also use LDAP to store user credentials for FreeRADIUS. However, with the size of your network, the added complexity probably isn't worthwhile.
Right. But my intentions here were to see what I could achieve choosing the WPA-Enterprise option alternatively to the WPA-Personal (as the checkboxes on the router call it), and thereby maybe apply the FreeRadius. My question was: Is it really possible for me to do this networking different, and with EAP, and learn something from it? How complicated is this task, and is it possible to do it fairly simple gaining profit from a resultant more secure network? And thus grow in knowledge and experience? So far I have learned a lot more through this mailinglist concerning my aims than I originally expected. They way my questions are answered forces me to think in the right rational way and professionally simpler.
Start with the simplest possible setup and only add functionality when you've got the basic stuff working. Keeping the configuration in a revision control system helps, too, not least when upgrading the server to a newer version. I use Subversion, but it is probably best to use what you're most familiar with.
Excellent instruction for me, this.
FreeRADIUS 2.0.3 will make your task much easier as it will build the necessary certificates for EAP automatically. PEAP is pretty easy to get going as there's no need to generate client certificates.
Q: When one of the Win-laptops tries to connect the wireless network it happens it pops up a window asking for certificate. But not all the time. It seems as if there is a box with an entrance for a server certificate in the EAPconfig of that machine. One of the laptops -ASUS- has no entrance whatsoever for EAP extension. The others have. Strange. Any quick comment here?
Whatever your eventual aims, start by getting your wireless users on WPA2-Enterprise (or WPA2 / WPA mixed mode if you have any clients that can't do WPA2) authenticating against FreeRADIUS with PEAP. Use the users file for your users. Anything else should be built on top of that.
Thanks. This is clearifying instruction.
radiusd -X is your friend.
Best wishes,
David -- David Wood david@wood2.org.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- _______________________________________________ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze
Hi there, n message <20080420183618.69235CBE80@ws5-11.us4.outblaze.com>, Si St <sigbj-st@operamail.com> writes
----- Original Message ----- From: "David Wood" <david@wood2.org.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: the newbie on radiustesting strikes again Date: Sun, 20 Apr 2008 01:00:42 +0100
Hi,
Ivan has already given you much good advice. I wanted to add a few comments.
In message <20080419222236.5BED97B8F8@ws5-10.us4.outblaze.com>, Si St <sigbj-st@operamail.com> writes
The Router supports EAP/WPA-Enterprise(has a box for this choice;) Automatic (WPA or WPA2), TKIP and AES
I would be very surprised if the RADIUS functionality on the router supports anything other than the wireless access point. It sounds like you have a consumer level unit - not an enterprise level router/firewall here.
You are most probably 100% right In a prevoius mail I told this router to be a DLINK DIR-635 ftp://ftp.dlink.se/Products/dir-products/dir-635/Documentation/DIR-635_m anual_ww.pdf
Thanks for that - a quick glance confirms it to be a consumer level unit and the RADIUS functionality is limited to the wireless access point, as I thought.
If so, all you can do with RADIUS is to control access to your wireless network - the Authentication and Authorisation of AAA. Most consumer level units do not support Accounting - though some do. If your router doesn't support accounting, there's no point wasting any time setting up accounting in FreeRADIUS!
Which will practically mean access to the router only And the router cannot handle Accounting that will mean giving user names and passwords
Correct - you can use user names and passwords with PEAP, or digital certificates with EAP-TLS, to access your wireless network rather than the single shared secret (PSK) of WPA-Personal.
You will not have the RADIUS functionality of more expensive enterprise level wireless access points, such as the ability to return the VLAN to connect the user to from the RADIUS server. There again, if this is a consumer unit, it probably has no VLAN support anyway.
I find only a box for Virtual Server on the router and on Advanced Network only uPnP; not much to go for here.
This is consumer gear - I would be very surprised to see any VLAN support. I doubt you have 802.1Q capable switches anyway (though L2 managed 10/100 switches are inexpensive these days). See http://en.wikipedia.org/wiki/VLAN for more on VLANs.
If you want better management of DHCP, one possibility is a DHCP server that uses an LDAP backend. You could also use LDAP to store user credentials for FreeRADIUS. However, with the size of your network, the added complexity probably isn't worthwhile.
I should just note that Alan's announcement of the DHCP functionality in the CVS HEAD (and presumably 2.0.4 when it is released) will allow you to use FreeRADIUS to hand out IP addresses - though I suspect that the limitations on this experimental module at present will mean that you're better off sticking with your existing DHCP server.
Right. But my intentions here were to see what I could achieve choosing the WPA-Enterprise option alternatively to the WPA-Personal (as the checkboxes on the router call it), and thereby maybe apply the FreeRadius.
Of course - and that is a valuable aim in itself. Bearing in mind that port 1812 is the only one mentioned (and not 1813), I suspect that your router doesn't support accounting. There's no support for handing out IP addresses via RADIUS attributes either.
My question was: Is it really possible for me to do this networking different, and with EAP, and learn something from it? How complicated is this task, and is it possible to do it fairly simple gaining profit from a resultant more secure network? And thus grow in knowledge and experience?
What you're looking to do is entirely possible, and is worthwhile and valuable. It's where I started out with FreeRADIUS. You can set up FreeRADIUS to authorise your wireless users by user name and password, using PEAP (if you want to give it its full name, PEAPv0/EAP-MSCHAPv2). This will give you a log of who accessed your wireless network and when, and you have better granularity in the access control (that is, you can change and revoke passwords for each user separately, rather than having a single shared secret). WPA Enterprise is also stronger, because the PMK is generated from the EAP exchange and lasts the lifetime of the session, rather than being a cryptographic hash of the PSK (which lasts until you change the PSK). If you wish, you can also experiment with EAP-TLS, and learn more about running your own PKI. This will teach you loads about digital certificates, certificate authorities and the like.
So far I have learned a lot more through this mailinglist concerning my aims than I originally expected. They way my questions are answered forces me to think in the right rational way and professionally simpler.
It sounds worthwhile all round, then! Best wishes, David -- David Wood david@wood2.org.uk
participants (2)
-
David Wood -
Si St