RE: a freeradious/wireless solution for a school
Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it. German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582 -----Original Message----- From: freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.org [mailto:freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius. org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school Hi, Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it. There are other options like EAP-PEAP, LEAP etc Check out for the types of EAP and you will find out. Cheers. tml
------------------------------------------------------------------------ -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://wiki.freeradius.org/EAP -Peter On Tue 23 Jan 2007 00:06, German Kalinec wrote:
Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it.
German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582
-----Original Message----- From: freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.org [mailto:freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius. org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school
Hi,
Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it.
There are other options like EAP-PEAP, LEAP etc
Check out for the types of EAP and you will find out.
Cheers.
tml
------------------------------------------------------------------------ -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Im in a similar environment, after months of research I have come to the following solution. * Apache * Freeradius * Chillispot * Mysql I have a howto that will help you built a system like this in about half an hour, email me if you want the doc. Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc. The only maintenance is creating the account. Tas. Peter Nixon wrote:
http://wiki.freeradius.org/EAP
-Peter
On Tue 23 Jan 2007 00:06, German Kalinec wrote:
Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it.
German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582
-----Original Message----- From: freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.org [mailto:freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius. org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school
Hi,
Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it.
There are other options like EAP-PEAP, LEAP etc
Check out for the types of EAP and you will find out.
Cheers.
tml
------------------------------------------------------------------------ -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ************************************* Tas Dionisakos IT Manager St Mary’s College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: tas@newman.unimelb.edu.au C: (0o (||||)(||||) o0) *************************************
I am interested. Please post the doc. Thakns, --- Tas Dionisakos <tas@newman.unimelb.edu.au> wrote:
Im in a similar environment, after months of research I have come to the following solution.
* Apache * Freeradius * Chillispot * Mysql
I have a howto that will help you built a system like this in about half an hour, email me if you want the doc.
Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc.
The only maintenance is creating the account.
Tas.
Peter Nixon wrote:
http://wiki.freeradius.org/EAP
-Peter
On Tue 23 Jan 2007 00:06, German Kalinec wrote:
Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it.
German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582
-----Original Message----- From:
freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.org
[mailto:freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.
org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school
Hi,
Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it.
There are other options like EAP-PEAP, LEAP etc
Check out for the types of EAP and you will find out.
Cheers.
tml
------------------------------------------------------------------------
-- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- ************************************* Tas Dionisakos IT Manager St Marys College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: tas@newman.unimelb.edu.au C: (0o (||||)(||||) o0) *************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/
I too interested and appreciate if you post the doc in the forum Thanks and regards Naveen -----Original Message----- From: freeradius-users-bounces+naveen=palettemm.com@lists.freeradius.org [mailto:freeradius-users-bounces+naveen=palettemm.com@lists.freeradius.org] On Behalf Of Agent Smith Sent: Tuesday, January 23, 2007 11:45 AM To: FreeRadius users mailing list Subject: Re: a freeradious/wireless solution for a school I am interested. Please post the doc. Thakns, --- Tas Dionisakos <tas@newman.unimelb.edu.au> wrote:
Im in a similar environment, after months of research I have come to the following solution.
* Apache * Freeradius * Chillispot * Mysql
I have a howto that will help you built a system like this in about half an hour, email me if you want the doc.
Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc.
The only maintenance is creating the account.
Tas.
Peter Nixon wrote:
http://wiki.freeradius.org/EAP
-Peter
On Tue 23 Jan 2007 00:06, German Kalinec wrote:
Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it.
German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582
-----Original Message----- From:
freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.org
[mailto:freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.
org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school
Hi,
Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it.
There are other options like EAP-PEAP, LEAP etc
Check out for the types of EAP and you will find out.
Cheers.
tml
------------------------------------------------------------------------
-- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- ************************************* Tas Dionisakos IT Manager St Mary's College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: tas@newman.unimelb.edu.au C: (0o (||||)(||||) o0) *************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________ ________ Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have attached the doc to this post, I have tested this setup tens of times and will work if followed correctly. If you have any further queries please email me. Tas. Agent Smith wrote:
I am interested. Please post the doc.
Thakns,
--- Tas Dionisakos <tas@newman.unimelb.edu.au> wrote:
Im in a similar environment, after months of research I have come to the following solution.
* Apache * Freeradius * Chillispot * Mysql
I have a howto that will help you built a system like this in about half an hour, email me if you want the doc.
Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc.
The only maintenance is creating the account.
Tas.
Peter Nixon wrote:
http://wiki.freeradius.org/EAP
-Peter
On Tue 23 Jan 2007 00:06, German Kalinec wrote:
Therein lies the problem. My potential users are
a lot of my students.
The idea of having to install certificates in
200+ laptops is not really
feasible. And showing them how to install is an
exercise in futility,
since most of our students are not computer savvy
enough to do it.
German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582
-----Original Message----- From:
freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.org
[mailto:freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.
org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for
a school
Hi,
Use EAP-TLS, the most secure one. It will
automatically give encryption
key to the clients. U have to do onething,
install the client
certificates in the beginning in each client machine that will
use your wireless and
thats it.
There are other options like EAP-PEAP, LEAP etc
Check out for the types of EAP and you will find
out.
Cheers.
tml
-- This email and any attachments may be
confidential. They may contain
legally privileged information or copyright material. You
should not read, copy,
use or disclose them without authorisation. If
you are not an intended
recipient, please contact us at once by return
email and then delete
both messages. We do not accept liability in
connection with computer virus,
data corruption, delay, interruption,
unauthorised access or
unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- ************************************* Tas Dionisakos IT Manager St Mary’s College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: tas@newman.unimelb.edu.au C: (0o (||||)(||||) o0) *************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ************************************* Tas Dionisakos IT Manager St Mary’s College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: tas@newman.unimelb.edu.au C: (0o (||||)(||||) o0) *************************************
Dear Tas, I am interesting, can you please send the doc to me ? Thank you. Tas Dionisakos wrote:
Im in a similar environment, after months of research I have come to the following solution.
* Apache * Freeradius * Chillispot * Mysql
I have a howto that will help you built a system like this in about half an hour, email me if you want the doc.
Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc.
The only maintenance is creating the account.
Tas.
Peter Nixon wrote:
http://wiki.freeradius.org/EAP
-Peter
On Tue 23 Jan 2007 00:06, German Kalinec wrote:
Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it.
German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582
-----Original Message----- From: freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.org [mailto:freeradius-users-bounces+gkalinec=newroads.org@lists.freeradius.
org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school
Hi,
Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it.
There are other options like EAP-PEAP, LEAP etc
Check out for the types of EAP and you will find out.
Cheers.
tml
------------------------------------------------------------------------
-- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Kalpin Erlangga Silaen Digital Circuits made from Analog parts. --- Menara Rajawali 12th Floor Jl. Mega Kuningan Lot#5.1 Kawasan Mega Kuningan Jakarta 12950 Telp : (021) 576-3490 (021) 576-1234
Please elaborate on how the system can be circumvented? Tas. A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
* Apache * Freeradius * Chillispot * Mysql
though note that captive portals are easy to mitigate/spoof and circumvent
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ************************************* Tas Dionisakos IT Manager St Mary’s College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: tas@newman.unimelb.edu.au C: (0o (||||)(||||) o0) *************************************
Hi,
Please elaborate on how the system can be circumvented?
FakeAP spring to mind instantly. as does any of the other man-in-middle attacks. a quick google will bring up many methods of doing such attacks. basically, I set up an a software AP with same SSID. I have same login page - even the same signed certificate if you've been so good as to buy a commercial one - and take the users credentials when they login. I then pull down by AP and use the credentials to login. Trivial stuff. if you use WEP I can do a similar thing to get the 3rd party to send me enough WEP traffic (failures of course) to get the key using the modern crackers. 5 minutes of fun...and then use that WEP for my gateway. (same isnt true - yet - for WPA-PSK - but like WEP those passphrases need to be disemminated. All this falls in the same 'security' bucket (or bin) as MAC authentication, hiding the SSID etc. but since most public sites use these systems its goota be okay. yes? ;-) alan
Hi,
Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it.
you could always, for example, supply them with a securew2 install package which would have the certificate already included. alan
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Agent Smith -
German Kalinec -
Kalpin Erlangga Silaen -
Naveen -
Peter Nixon -
Tas Dionisakos