Confused what to do next~How to understand FreeRadius
Hello Everyone: Thank you very much for opening this topic. I have worked on FreeRadius for almost 2 monthes,my purpose is to set up a Radius server which could be used for authentication , authority and accounting for my WLAN. Right now, I "guess" i have finished the "Authentication Step". I installed the Radius server + MySQL on my FC 14 host,there is a client AP connect to this radius server, the users hold Windows XP laptop could get authentication from radius server via PEAP or EAP-TLS. Here is a first little problem.Right now i could add and delete user in the radcheck table of MySQL,but all the passwords were stored in cleartext?is this the only way to store this password? is it safe enough?is it could be store in the format of ****** like what we set in the wpa-psk mode? Most Seriously, I am confused how to implement the "Authority Step" and "Accounting Step". For the "Authority Step",in my thought, I should create several different GROUPs, each GROUP has different authority,and then divide the users into different GROUPs and get different authority. Is that correct? For the "Accounting Step",i used DaloRadius,but found out there are few help for this web base management system online, and the MANUAL will cost $250.And also the additional mySQL tables makes me more confused. I want to know if there is a example that set up the authority and accounting features of FreeRadius?or just give me a little hints about where to start it step by step.I know there is a really big question. Any hints will be really help,any useful docments and links will be really appreciate. For example, there are 9 tables in the defalut mysql scheme, like radcheck,radacct,nas,radgroup,radgroupreply etc, is there a document to describe these features? I read all the .conf files couple of times ,but still confused about this stuff. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Confused-what-to-do-next-How-to-unde... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Tue, Sep 27, 2011 at 4:25 PM, snan4love <snan4love@hotmail.com> wrote:
Here is a first little problem.Right now i could add and delete user in the radcheck table of MySQL,but all the passwords were stored in cleartext?
Depending on which tutorial you follow, yes.
is this the only way to store this password?
Nope
is it safe enough?
Depends. See faq, start from http://wiki.freeradius.org/FAQ#PAP+authentication+works+but+CHAP+fails You should be able to store passwords as NT-Password instead of Cleartext-Password if you only use pap and chap. Considering your level of knowledge, I don't recommend doing so at this stage though.
is it could be store in the format of ****** like what we set in the wpa-psk mode?
Just because you can't SEE it (i.e. *****) doesn't mean windows or the AP store it in encrypted format. So your question is not relevant.
Most Seriously, I am confused how to implement the "Authority Step" and "Accounting Step". For the "Authority Step",in my thought, I should create several different GROUPs, each GROUP has different authority,and then divide the users into different GROUPs and get different authority. Is that correct? For the "Accounting Step",i used DaloRadius,but found out there are few help for this web base management system online, and the MANUAL will cost $250.
Sorry, your question makes me confused. At this moment I suggest you write which tutorial/manual you're following, and ask the author/community list/forums.
For example, there are 9 tables in the defalut mysql scheme, like radcheck,radacct,nas,radgroup,radgroupreply etc, is there a document to describe these features?
Start with doc/rlm_sql. The docs are there for a purpose you know. -- Fajar
snan4love wrote:
Thank you very much for opening this topic. I have worked on FreeRadius for almost 2 monthes,my purpose is to set up a Radius server which could be used for authentication , authority and accounting for my WLAN.
That should be pretty straightforward.
Right now, I "guess" i have finished the "Authentication Step". I installed the Radius server + MySQL on my FC 14 host,there is a client AP connect to this radius server, the users hold Windows XP laptop could get authentication from radius server via PEAP or EAP-TLS. Here is a first little problem.Right now i could add and delete user in the radcheck table of MySQL,but all the passwords were stored in cleartext?is this the only way to store this password? is it safe enough?is it could be store in the format of ****** like what we set in the wpa-psk mode?
You will need to store the passwords in cleartext. It really is the best way.
Most Seriously, I am confused how to implement the "Authority Step" and "Accounting Step".
Not "authority", but "authorization".
For the "Authority Step",in my thought, I should create several different GROUPs, each GROUP has different authority,and then divide the users into different GROUPs and get different authority. Is that correct?
For "authorization", yes.
For the "Accounting Step",i used DaloRadius,but found out there are few help for this web base management system online, and the MANUAL will cost $250.And also the additional mySQL tables makes me more confused.
Why? What is confusing about them? Ask a question. Saying "I'm confused" means we don't know how to help you. The documentation exists, and should be clear. See doc/rlm_sql, among others. Alan DeKok.
Hi, *please*, I need advice in choosing the strategy for the distributed EAP authentification scheme so, here are details of what I have and want: I run FreeRadius with EAP configured all my WiFi AP are configured to communicate with the radiusd and everything works fine now I need to extend my VPN with several remote branches where inet connection is not stable, but I need to provide WiFi access there too even in case when inet connection is off ... so, is it possible to use local (for each branch) radiusd to allow access, *but* : 1. if inet is alive, than authenticate via the central radius 2. if inet connection is not established, authenticate via local mechanism (preferably EAP) -- Zeus V. Panchenko JID:zeus@gnu.org.ua GMT+2 (EET)
On 28 Sep 2011, at 07:12, Zeus V Panchenko wrote:
Hi,
*please*, I need advice in choosing the strategy for the distributed EAP authentification scheme
so, here are details of what I have and want:
I run FreeRadius with EAP configured
all my WiFi AP are configured to communicate with the radiusd and everything works fine
now I need to extend my VPN with several remote branches where inet connection is not stable, but I need to provide WiFi access there too even in case when inet connection is off ...
so, is it possible to use local (for each branch) radiusd to allow access, *but* :
1. if inet is alive, than authenticate via the central radius 2. if inet connection is not established, authenticate via local mechanism (preferably EAP)
Yes, home server pools let you specify a 'fallback' home server which can point to a virtual server. It should be working in v2.1.x but is currently broken in 3.x. See proxy.conf for details. Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
thanks for quick reply Arran Cudbard-Bell (a.cudbardb@freeradius.org) [11.09.28 08:28] wrote:
Yes, home server pools let you specify a 'fallback' home server which can point to a virtual server. It should be working in v2.1.x but is currently broken in 3.x.
See proxy.conf for details.
if i have core.radius.my.domain as my primary radius server and fallback.radius.my.domain as radius installed on AP than i need in proxy.conf home_server_pool my_auth_failover { type = fail-over home_server = core.radius.my.domain fallback = fallback.radius.my.domain } but than, I need configure EAP/TLS on fallback.radius.my.domain identical to core.radius.my.domain one, correct? since without the same server certificates my clients will not be able authenticate with fallback.radius.my.domain am I correct? -- Zeus V. Panchenko JID:zeus@gnu.org.ua GMT+2 (EET)
On 28 Sep 2011, at 12:11, Zeus V Panchenko wrote:
thanks for quick reply
Arran Cudbard-Bell (a.cudbardb@freeradius.org) [11.09.28 08:28] wrote:
Yes, home server pools let you specify a 'fallback' home server which can point to a virtual server. It should be working in v2.1.x but is currently broken in 3.x.
See proxy.conf for details.
if i have core.radius.my.domain as my primary radius server and fallback.radius.my.domain as radius installed on AP
than i need in proxy.conf
home_server_pool my_auth_failover { type = fail-over home_server = core.radius.my.domain fallback = fallback.radius.my.domain }
but than, I need configure EAP/TLS on fallback.radius.my.domain identical to core.radius.my.domain one, correct?
Correct.
since without the same server certificates my clients will not be able authenticate with fallback.radius.my.domain
am I correct?
Partially. If you're using your own CA, then you could just sign multiple sets of server certificates and trust your CA on the clients. Thats one of the neat things about the PKI model. If you're using a commercial CA, then the cost of all those certificates might be prohibitive, and you should be using CN field checking, so yes you'd probably want to use the same certificates on all servers, even though it increases the risk of private key exposure. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
Zeus V Panchenko wrote:
but than, I need configure EAP/TLS on fallback.radius.my.domain identical to core.radius.my.domain one, correct?
Yes. Just copy the config && the files.
since without the same server certificates my clients will not be able authenticate with fallback.radius.my.domain
am I correct?
Yes. Alan DeKok.
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Fajar A. Nugraha -
snan4love -
Zeus V Panchenko