Help needed with freeradius, solaris and trapeze
Hello all, I'm new with Freeradius... I've a machine with solaris 10 installed and with freeradius installed too but I'm taking a lot of problems to use it with my Trapeze infrastructure. Can anyone help? I'm starting with WPA2 - TKIP and I would Like to configure FreeRadius to Authenticate some test users that I can create on freeradius. please help really needed... Where should I start??? thank you all.
Miguel Dias wrote:
Can anyone help? I'm starting with WPA2 - TKIP and I would Like to configure FreeRadius to Authenticate some test users that I can create on freeradius.
WPA2 means that the access point isn't doing RADIUS authentication for the users.
please help really needed... Where should I start???
Configure 802.1x for the AP. Don't use WPA2. Alan DeKok.
Hi Alan, Erm... I'm using WPA2/AES that uses 802.1x to authenticate the user :-) WPA2/TKIP is a strange choice (if not technically invalid). Normally, folks go for WPA/TKIP or WPA2/AES. Anyway, back to Miguel's question... I have not used Trapeze kit for a couple of years but I have used it in the past with FreeRADIUS (and derived RADIUS servers). You need to tell us which EAP method you plan to use. If you are using local users, you can take your pick from EAP-TTLS/PAP or PEAP/MS-CHAPv2. If you use the former, you can have the passwords encrypted in the users file. If you use the latter, the passwords must be in clear text. I believe that the default radius.conf and eap.conf files will work automatically for either option. Trapeze uses some VSAs to specify which VLAN a user should be connected to, what time-of-day they can connect, etc. Just look in dictionary.trapeze and you'll see the options. The Trapeze documentation was always pretty good at explaining the purpose and format of those VSAs. You *MUST* include a VLAN-Name VSA when responding to a Trapeze unit or it won't connect you to the correct VLAN. Rgds, Guy 2008/4/28 Alan DeKok <aland@deployingradius.com>:
Miguel Dias wrote:
Can anyone help? I'm starting with WPA2 - TKIP and I would Like to configure FreeRadius to Authenticate some test users that I can create on freeradius.
WPA2 means that the access point isn't doing RADIUS authentication for the users.
please help really needed... Where should I start???
Configure 802.1x for the AP. Don't use WPA2.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Guy Davies wrote:
Erm... I'm using WPA2/AES that uses 802.1x to authenticate the user
Hmm... tI thought the "WPA enterprise" did that... Too many standards, I guess.
You need to tell us which EAP method you plan to use. If you are using local users, you can take your pick from EAP-TTLS/PAP or PEAP/MS-CHAPv2. If you use the former, you can have the passwords encrypted in the users file. If you use the latter, the passwords must be in clear text.
I believe that the default radius.conf and eap.conf files will work automatically for either option.
In 2.0, yes.
Trapeze uses some VSAs to specify which VLAN a user should be connected to, what time-of-day they can connect, etc. Just look in dictionary.trapeze and you'll see the options. The Trapeze documentation was always pretty good at explaining the purpose and format of those VSAs. You *MUST* include a VLAN-Name VSA when responding to a Trapeze unit or it won't connect you to the correct VLAN.
Ah, yes. *That* vendor. Alan DeKok.
Alan DeKok wrote:
Guy Davies wrote:
Erm... I'm using WPA2/AES that uses 802.1x to authenticate the user
Yes Alan is just being facetious; WPA with a PSK is generally referred to as WPA-Personal, WPA with dynamic keying is generally referred to as WPA-Enterprise. Sometimes you see just WPA or WPA-PSK which most take to mean WPA-Personal.
Hmm... tI thought the "WPA enterprise" did that... Too many standards, I guess.
You need to tell us which EAP method you plan to use. If you are using local users, you can take your pick from EAP-TTLS/PAP or PEAP/MS-CHAPv2. If you use the former, you can have the passwords encrypted in the users file. If you use the latter, the passwords must be in clear text.
Unless your using PEAP offload in which case you just need to list the mschap module, and have the user password available in cleartext or as an nt / lm hash... but don't use PEAP offload. Terminate the EAP tunnel in FR, it generally works better and is far simpler.
I believe that the default radius.conf and eap.conf files will work automatically for either option.
In 2.0, yes.
Trapeze uses some VSAs to specify which VLAN a user should be connected to, what time-of-day they can connect, etc. Hmm, no. Trapeze use the standard VLAN assignment attributes just like any other Vendor. You may be able to use the VSAs to do fancy stuff but :
Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = <VID> Works just the same.
Just look in dictionary.trapeze and you'll see the options. The Trapeze documentation was always pretty good at explaining the purpose and format of those VSAs. You *MUST* include a VLAN-Name VSA when responding to a Trapeze unit or it won't connect you to the correct VLAN.
I have a MXR-2 sitting on my desk that says otherwise. You can set a default VLAN for each wireless service profile.... Ah, yes. *That* vendor.
I happen to quite like that vendor and wish people would stop spreading misinformation, especially if they haven't used the kit for a few years *hmpf*. Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
2008/4/29 Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>:
Alan DeKok wrote:
Guy Davies wrote:
[..snip..]
You need to tell us which EAP method you plan to use. If you are using local users, you can take your pick from EAP-TTLS/PAP or PEAP/MS-CHAPv2. If you use the former, you can have the passwords encrypted in the users file. If you use the latter, the passwords must be in clear text.
Unless your using PEAP offload in which case you just need to list the mschap module, and have the user password available in cleartext or as an nt / lm hash... but don't use PEAP offload. Terminate the EAP tunnel in FR, it generally works better and is far simpler.
Agreed. PEAP offload was OK if you had a crappy backend RADIUS server that didn't support EAP very well (or at all), but with a FR backend, you're better off just passing your EAP straight through. [..snip..]
Trapeze uses some VSAs to specify which VLAN a user should be connected to, what time-of-day they can connect, etc.
Hmm, no. Trapeze use the standard VLAN assignment attributes just like any other Vendor. You may be able to use the VSAs to do fancy stuff but :
Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = <VID>
Then that's definitely changed since I used to use Trapeze when it was first brought to market. I started with a pre-FCS version ;-) They used to have VSAs for Trapeze-VLAN-Name that was quite nice if you had different default VLAN numbers in different buildings in the campus. You could name all the default VLANs the same but give the VLANs different IDs in the different MXes. Using the Tunnel-Private-Group-ID means you have to have a consistent VLAN ID for a particular user group across a campus.
Works just the same.
Just look in dictionary.trapeze and you'll see the options. The Trapeze documentation was always pretty good at explaining the purpose and format of those VSAs. You *MUST* include a VLAN-Name VSA when responding to a Trapeze unit or it won't connect you to the correct VLAN.
I have a MXR-2 sitting on my desk that says otherwise. You can set a default VLAN for each wireless service profile....
Doesn't that just pickup users that fail to attempt 802.1x authentication? Again, it's been a while since I last used Trapeze kit so things may have changed significantly since then.
Ah, yes. *That* vendor.
I happen to quite like that vendor and wish people would stop spreading misinformation, especially if they haven't used the kit for a few years *hmpf*.
I also very much liked that vendor and had no intention of spreading misinformation. I very specifically stated that it had been a while since I used the kit so that people would take my information in context. I object to being accused of spreading misinformation intentionally. I am not frequently active on this list but I do try to give valid information. If it's wrong, then I'll hold my hand up but berating people for trying will just make people stop giving advice altogether. Guy
Guy Davies wrote:
2008/4/29 Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>:
Alan DeKok wrote:
Guy Davies wrote:
[..snip..]
You need to tell us which EAP method you plan to use. If you are using local users, you can take your pick from EAP-TTLS/PAP or PEAP/MS-CHAPv2. If you use the former, you can have the passwords encrypted in the users file. If you use the latter, the passwords must be in clear text.
Unless your using PEAP offload in which case you just need to list the mschap module, and have the user password available in cleartext or as an nt / lm hash... but don't use PEAP offload. Terminate the EAP tunnel in FR, it generally works better and is far simpler.
Agreed. PEAP offload was OK if you had a crappy backend RADIUS server that didn't support EAP very well (or at all), but with a FR backend, you're better off just passing your EAP straight through.
[..snip..]
Trapeze uses some VSAs to specify which VLAN a user should be connected to, what time-of-day they can connect, etc.
Hmm, no. Trapeze use the standard VLAN assignment attributes just like any other Vendor. You may be able to use the VSAs to do fancy stuff but :
Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = <VID>
Then that's definitely changed since I used to use Trapeze when it was first brought to market. I started with a pre-FCS version ;-) They used to have VSAs for Trapeze-VLAN-Name that was quite nice if you had different default VLAN numbers in different buildings in the campus. You could name all the default VLANs the same but give the VLANs different IDs in the different MXes. Using the Tunnel-Private-Group-ID means you have to have a consistent VLAN ID for a particular user group across a campus.
Yes, which is neat. They also support local VLAN switching on the higher end units, not sure if that's new. I've put in a feature request for VTP & GVRP, but I don't know if they'll be implemented.
Works just the same.
Just look in dictionary.trapeze and you'll see the options. The Trapeze documentation was always pretty good at explaining the purpose and format of those VSAs. You *MUST* include a VLAN-Name VSA when responding to a Trapeze unit or it won't connect you to the correct VLAN.
I have a MXR-2 sitting on my desk that says otherwise. You can set a default VLAN for each wireless service profile....
Doesn't that just pickup users that fail to attempt 802.1x authentication? Again, it's been a while since I last used Trapeze kit so things may have changed significantly since then.
The fall-through stuff doesn't work too well, and it's dealt with in a different manor now as well; regarding VLANS You can set a default VLAN for an SSID, and choose to override it with an assignment from the server, or set a default VLAN and keep it no matter what the server assignment.
Ah, yes. *That* vendor.
I happen to quite like that vendor and wish people would stop spreading misinformation, especially if they haven't used the kit for a few years *hmpf*.
I also very much liked that vendor and had no intention of spreading misinformation. I very specifically stated that it had been a while since I used the kit so that people would take my information in context. I object to being accused of spreading misinformation intentionally. I am not frequently active on this list but I do try to give valid information. If it's wrong, then I'll hold my hand up but berating people for trying will just make people stop giving advice altogether.
Sorry, I tend to be more 'bitey' when sleepy/ just awaking from sleep. I know you weren't intentionally spreading misinformation... it just happens when you haven't used something in a number of years. It appears there's a fair amount of 'voodoo' surrounding trapeze and external RADIUS server configuration just trying to keep it to a minimum. Arran
Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Guy Davies -
Miguel Dias