Controlling access to my Wireless network.
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. I have a couple SonicWall SonicPoint devices that have the capability to do WPA Enterprise or WPA2 enterprise or both. I would like to be able to have a user attempt to join my wireless network, but be presented with the request for Username and Password. From there I would like to be able to have their connection authenticated and then allow them on. No authentication, no getting on. Securing the wireless signal is not the primary focus here. Securing the access to the network is. Is there a way to do this? I have FreeRadius 1.1.7 installed and working and currently will authenticate against my ldap server. Thank you for lending a hand to a newby here. Kent
simplest, don't turn it on. On 9/18/07, Kent Thomas <Kent@solarbee.com> wrote:
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this.
I have a couple SonicWall SonicPoint devices that have the capability to do WPA Enterprise or WPA2 enterprise or both. I would like to be able to have a user attempt to join my wireless network, but be presented with the request for Username and Password. From there I would like to be able to have their connection authenticated and then allow them on. No authentication, no getting on. Securing the wireless signal is not the primary focus here. Securing the access to the network is.
Is there a way to do this? I have FreeRadius 1.1.7 installed and working and currently will authenticate against my ldap server.
Thank you for lending a hand to a newby here. Kent
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote:
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this.
This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO
Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, "Phil Mayers" <p.mayers@imperial.ac.uk> wrote:
On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote:
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this.
This is an extremely common setup.
http://wiki.freeradius.org/WPA_HOWTO
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, "Kent Thomas" <Kent@solarbee.com> piše:
Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at.
The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this?
Thanks a million. Kent
On 9/18/07 4:01 PM, "Phil Mayers" <p.mayers@imperial.ac.uk> wrote:
On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote:
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this.
This is an extremely common setup.
http://wiki.freeradius.org/WPA_HOWTO
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan,Thanks a million. I've been looking at using peap. I have a mixed network, mac & xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million Kent On 9/18/07 4:27 PM, "tnt@kalik.co.yu" <tnt@kalik.co.yu> wrote:
If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP.
Ivan Kalik Kalik Informatika ISP
Dana 18/9/2007, "Kent Thomas" <Kent@solarbee.com> piše:
Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at.
The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this?
Thanks a million. Kent
On 9/18/07 4:01 PM, "Phil Mayers" <p.mayers@imperial.ac.uk> wrote:
On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote:
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this.
This is an extremely common setup.
http://wiki.freeradius.org/WPA_HOWTO
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If you are in control of Ldap server then you can enforce whatever password scheme you see fit. If you map Clertext-Password attribute to plain text passwords in Ldap everything will work fine. But if you are using crypt, sha or such on your passwords, mschap will never work. Your eap.conf is likely to be OK if you are getting that far. Mschapv2 is failing because passwords in Ldap are encrypted or mapped to some other password attribute (most often User-Password). But you will need to post the whole eap conversation in order to be sure. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, "Kent Thomas" <Kent@solarbee.com> piše:
Ivan,Thanks a million. I've been looking at using peap. I have a mixed network, mac & xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million Kent
On 9/18/07 4:27 PM, "tnt@kalik.co.yu" <tnt@kalik.co.yu> wrote:
If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP.
Ivan Kalik Kalik Informatika ISP
Dana 18/9/2007, "Kent Thomas" <Kent@solarbee.com> piše:
Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at.
The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this?
Thanks a million. Kent
On 9/18/07 4:01 PM, "Phil Mayers" <p.mayers@imperial.ac.uk> wrote:
On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote:
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this.
This is an extremely common setup.
http://wiki.freeradius.org/WPA_HOWTO
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
network, mac & xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million
it wouldnt be in your eap.conf for a start - if you want to use PEAP against your LDAP then you'll most likely need to put the NT hash of their password into your LDAP directory and point to that instead in your LDAP checks. a lot (a LOT) of people do this and are present on this list. if you want to use plain test password checks then EAP-TTLS with PAP inner is one of the only ways - but for that you'll need to install extra software on the WinXP machines alan
Hi,
The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this?
err no. EAP-TLS uses client and server certificates. if you want to use just the server cert then EAP-PEAP or EAP-TTLS is your way. alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Donny Jekels -
Kent Thomas -
Phil Mayers -
tnt@kalik.co.yu