a freeradious/wireless solution for a school
Hello, I work for a mid-size private school (about 700-800 people on campus), and I'm trying to set up a way to limit the use of our wireless to our students/staff. The main problem that I'm encountering is finding a solution that will fit our needs. A little background first... When I first started (about a year ago, and I'm still the only IT person managing the whole school network) we had crappy wireless at different places on campus for students and staff to access our network. The person who set these up (my current boss) simply did a MAC access control list on each AP and made the students and staff come to him to register their computers. This was a major pain since each of our APs (7 of them) had to have the new MAC address manually added to each AP every time we had a new laptop. The problem with this solution (aside from having to enter the MACs 7 times) was that we eventually run out of room in the MAC table. After some negotiating we got new wireless, but still not top of the line (I wanted CISCOs, we got Netgear WPN802s instead), and I found that we still run out space in the table (it now help 50, we now have about 100+ laptops being used by students). I know that the solution is to implement a radius authentication with the APs that we have. The APs support radius servers using either WAP or legacy 802.1X (with WEP keys). I did tons of research on WAP (being the preferred method), but I could not get around the fact that certificates MUST be installed in the client computer in order for the protocol to work. This is simply impossible since most of our students (and staff for that matter) are unable to install certificates (or unwilling) and having to install certificates manualy myself is just too time consuming. So my first questions is what methods would you suggest for this kind of set up? My original idea was to implement the legacy 802.1x option. i managed to set up the AP correctly and the radius server to authenticate based on MAC addresses, but I could not find a way to get the WEP key back to the client laptop. I'm not even sure it is possible, really, and I'm hesitant to try to have our students and staff enter a WEP key into their laptops themselves (since when they fail they will come for me to set it up, and if I wanted to change the WEP key, I would have to re-change it on every laptop). Is tehre any way for the radius server to send back the WEP key to the client? I know it must seem horribly insecure (and it is), but I have to show my boss a solution that is better than simply leaving our network open. Can some one help or suggest a better way of resolving this? -- View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it. There are other options like EAP-PEAP, LEAP etc Check out for the types of EAP and you will find out. Cheers. tml
-------------------------------------------------------------------------- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed.
On 1/18/07, gkalinec <gkalinec@newroads.org> wrote:
places on campus for students and staff to access our network. The person who set these up (my current boss) simply did a MAC access control list on each AP and made the students and staff come to him to register their computers. This was a major pain since each of our APs (7 of them) had to have the new MAC address manually added to each AP every time we had a new laptop. The problem with this solution (aside from having to enter the MACs 7 times) was that we eventually run out of room in the MAC table. After
For the first wireless deployment at the .edu where I work, we used a similar solution except that we used FreeRADIUS with a MySQL backend for "registering" MAC addresses. Since "MAC authentication" isn't secure at all, we ended up also requiring a VPN connection in order to "get out". Like you, I've recently gotten new equipment and am actually trying to simplify things. We're doing away with the MAC authentication and VPN connection and will simply be using ChilliSpot for controlling access to our wireless networks. ChilliSpot uses FreeRADIUS for authentication (and FreeRADIUS is verifying credentials against our enterprise LDAP directory) with accounting information being stored in MySQL. Don't bother trying to use WEP in an academic environment. The point of a WEP key is to keep it a secret. It's no longer a secret if you must give it out to everyone. We implemented the VPN connection to "force" a secure connection, but we're doing away with that. HTH, -j -- Jeremy L. Gaddis, MCP, GCWN http://www.linuxwiz.net/
Without being too subtle, You've mis-understood much of the research you've read. Don't worry about it, there is quite a bit of contradictory information out there. There's quite a bit of background information, so it'll be a little bit before I mention FreeRADIUS. First. It's WPA, not WAP. (Different fields of technology) Forget much of what you've read. First, This is what you have been doing. Its called MAC filtering. The AP will only talk to MAC's that it has in it's table. In short, this is useless, since if I wanted to get on, I'd just fire up a packet sniffer. (They're free and easy to get. http://www.wireshark.org/ for example) Copy some poor souls MAC address, and I'm on. It's an administrative nightmare. You should not do this. A second form of this, is to load all the MAC addresses into a radius server, then the AP will interrogate Radius to find out if it's on it's allow list. This is as useless as the way your doing it now, because I can still easily copy your MAC address. You should not do this either. Second: You mention 802.1x with WEP. You do not enter WEP keys at all, the RADIUS server takes care of it. This is a standard way of doing wireless. However I'd highly recommend you DO NOT pursue this, as it's very insecure, and has been replaced by WPA. All the benefits of doing this apply to WPA. But you can do this if you want, but I'd suggest not to. Third Now we're on to WPA. This is what you should implement. WPA comes in two forms. WPA and WPA2 The primary difference is the WPA was designed as a interim protocol, with backward compatibility in mind. WPA2 was designed to be run on new hardware, and uses AES encryption. If you are setting a new network up, just use WPA2. Both WPA and WPA2 come in two forms. PSK and Enterprise PSK (or Pre-Shared Key) is what you mentioned. You load a secret key onto all your AP's, and then put the same key on all your users machines. It's designed for HOME Use. You do NOT want to use this form. Enterprise is what you WANT to use. You have all your usernames and passwords stored in a database. (Be it SQL, ActiveDirctory, LDAP, etc) This is where FreeRADIUS comes in. You configure all your AP's to use RADIUS, and give it the radius IP. You configure RADIUS to perform either TTLS and/or PEAP. (This is site specific, you need to decide your backend database to determine which one you can use) You configure your client to use TTLS or PEAP, and upon connecting to the network, they will be prompted to enter username and password. If they don't have one, they don't get on. If they do have one, they get on. Now we're at RADIUS. What type of user database do you have? Activedirectory? Novell? No having one is an acceptable answer as well. Post back, it's a lot of info, but we're here to help.
Quoting "King, Michael" <MKing@bridgew.edu>:
You configure your client to use TTLS or PEAP, and upon connecting to the network, they will be prompted to enter username and password. If they don't have one, they don't get on. If they do have one, they get on.
This also solves your problem of having to give out a cert to each client as both of these only require a server side cert. You could then purchase a certificate from a trusted CA and that would already be in their browsers list of Trusted CA's. Here are a couple of howto's the first is for a Linux supplicant and the second is for using a Windows supplicant. What's a supplicant? The client. http://tldp.org/HOWTO/html_single/8021X-HOWTO/ http://text.dslreports.com/forum/remark,9286052~mode=flat Hope that helps, Jon
The database is not a problem, since we have a huge one in place, one stored in Active Directory (for which I can use the freeradius LDAP module) or MySQL one. The database is really our main strength, since we have tons of information about every student, staff and parent in (its what my main job responsibility entails). A quick question, however, would this be just as eay to set up on a Macintosh? (since many of my supplicants will be macs..) German Kalinec King, Michael wrote:
Without being too subtle, You've mis-understood much of the research you've read. Don't worry about it, there is quite a bit of contradictory information out there.
There's quite a bit of background information, so it'll be a little bit before I mention FreeRADIUS.
First. It's WPA, not WAP. (Different fields of technology)
Forget much of what you've read.
First, This is what you have been doing.
Its called MAC filtering. The AP will only talk to MAC's that it has in it's table. In short, this is useless, since if I wanted to get on, I'd just fire up a packet sniffer. (They're free and easy to get. http://www.wireshark.org/ for example) Copy some poor souls MAC address, and I'm on. It's an administrative nightmare.
You should not do this. A second form of this, is to load all the MAC addresses into a radius server, then the AP will interrogate Radius to find out if it's on it's allow list. This is as useless as the way your doing it now, because I can still easily copy your MAC address. You should not do this either.
Second: You mention 802.1x with WEP. You do not enter WEP keys at all, the RADIUS server takes care of it. This is a standard way of doing wireless. However I'd highly recommend you DO NOT pursue this, as it's very insecure, and has been replaced by WPA. All the benefits of doing this apply to WPA. But you can do this if you want, but I'd suggest not to.
Third Now we're on to WPA. This is what you should implement.
WPA comes in two forms. WPA and WPA2
The primary difference is the WPA was designed as a interim protocol, with backward compatibility in mind. WPA2 was designed to be run on new hardware, and uses AES encryption. If you are setting a new network up, just use WPA2.
Both WPA and WPA2 come in two forms. PSK and Enterprise
PSK (or Pre-Shared Key) is what you mentioned. You load a secret key onto all your AP's, and then put the same key on all your users machines. It's designed for HOME Use. You do NOT want to use this form.
Enterprise is what you WANT to use. You have all your usernames and passwords stored in a database. (Be it SQL, ActiveDirctory, LDAP, etc) This is where FreeRADIUS comes in. You configure all your AP's to use RADIUS, and give it the radius IP.
You configure RADIUS to perform either TTLS and/or PEAP. (This is site specific, you need to decide your backend database to determine which one you can use)
You configure your client to use TTLS or PEAP, and upon connecting to the network, they will be prompted to enter username and password. If they don't have one, they don't get on. If they do have one, they get on.
Now we're at RADIUS. What type of user database do you have? Activedirectory? Novell? No having one is an acceptable answer as well.
Post back, it's a lot of info, but we're here to help.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
responsibility entails). A quick question, however, would this be just as eay to set up on a Macintosh? (since many of my supplicants will be macs..)
Macs are very friendly with wireless (well, if its OSX 10.3 and higher anyway). you can configure them to match the PC method - EAP-PEAP or go via EAP-TTLS with MSCHAPv2 internal tunnel etc alan
So then it seems to me that my best solution would then be to implement either an EAP-PEAP or EAP-TTLS solution authenticating against either my mysql or my active directory (I've been reading the ntlm authentication through samba, and it's not something hard to set up). This way I can have server-side certificates only and have the users login with their usernames and passwords. What would, in your opinion, be better? TTLS or PEAP? Also, if I had a laptop for school-only use (say, for example, a laptop that we provide for the users), in this case the wireless connection would ned to be establish without user input (for example, have he machine connected already so that the user can log into the machine through windows). Could I then still use either of these methods (and generate a client cert to log in), or should I implement a different solution? Thanks, German Kalinec A.L.M.Buxey wrote:
Hi,
responsibility entails). A quick question, however, would this be just as eay to set up on a Macintosh? (since many of my supplicants will be macs..)
Macs are very friendly with wireless (well, if its OSX 10.3 and higher anyway). you can configure them to match the PC method - EAP-PEAP or go via EAP-TTLS with MSCHAPv2 internal tunnel etc
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Quoting gkalinec <gkalinec@newroads.org>: What would, in your opinion, be better? TTLS or PEAP? I believe with TTLS you would need to load software on each computer, can someone else verify that? I am using PEAP and it works with Windows, Macs and linux(using wpa_supplicant or xsupplicant).
Also, if I had a laptop for school-only use (say, for example, a laptop that we provide for the users), in this case the wireless connection would ned to be establish without user input (for example, have he machine connected already so that the user can log into the machine through windows).
When using PEAP when your user logs in for the first time and validates their identity and accepts your cert, they never have to repeat the process, unless they get a new machine. When they come back into contact with your hotspot their computer will automagically log them back in. Could I
then still use either of these methods (and generate a client cert to log in), or should I implement a different solution?
If you are using PEAP or TTLS you don't need a client cert, you can have one but it is not needed. Trying to get a client cert to every user could be a real pain, it might be easier if you use AD to push it to each system, I don't use AD, so I can't say for sure. Hope that helps, Jon
Hi,
So then it seems to me that my best solution would then be to implement either an EAP-PEAP or EAP-TTLS solution authenticating against either my
PEAP or TTLS? no reason why you cannot have both. FreeRADIUS is quite happy doing both at same time... especially if you use MSCHAPv2 as the inner auth for the TTLS. its the same ntlm_auth line then too.
and passwords. What would, in your opinion, be better? TTLS or PEAP?
its down to philosophy more than anything - until the proof that PEAP can be broken with a simple tool ;-) - some implementations of PEAP are known to be 'leaky' - they leak some of the challenge/response. that said. if you want anonymity, TTLS is the only way - can use an anoymous auto identity. with most PEAP, you inner username is thrown to the outer identity by default.
Also, if I had a laptop for school-only use (say, for example, a laptop that we provide for the users), in this case the wireless connection would ned to be establish without user input (for example, have he machine connected already so that the user can log into the machine through windows). Could I
if you use the AD, you can configure it to use machine authentication...in this case the machine ID is in the AD and the system logs in before the user - now you can have active, non-cached user logins too. alan
-----Original Message-----
The database is not a problem, since we have a huge one in place, one stored in Active Directory (for which I can use the FreeRADIUS LDAP module) or MySQL one.
If you use ActiveDirectory, I believe you would have an easier time using ntlm_auth. Using LDAP with ActiveDirectory requires some work. http://deployingradius.com/documents/configuration/active_directory.html MySQL should be trivial for you to implement. For why LDAP with ActiveDirectory doesn't work, see http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html
Hi German, You've already had much wisdom; I'm going to try a comprehensive reply to the whole problem. In message <8437548.post@talk.nabble.com>, gkalinec <gkalinec@newroads.org> writes
I work for a mid-size private school (about 700-800 people on campus), and I'm trying to set up a way to limit the use of our wireless to our students/staff. The main problem that I'm encountering is finding a solution that will fit our needs.
Yours is hardly the biggest wireless deployment; there are solutions that exist for this.
A little background first... When I first started (about a year ago, and I'm still the only IT person managing the whole school network) we had crappy wireless at different places on campus for students and staff to access our network. The person who set these up (my current boss) simply did a MAC access control list on each AP and made the students and staff come to him to register their computers. This was a major pain since each of our APs (7 of them) had to have the new MAC address manually added to each AP every time we had a new laptop. The problem with this solution (aside from having to enter the MACs 7 times) was that we eventually run out of room in the MAC table.
MAC authentication is trivially broken. Most wireless cards can work with a spoofed MAC address, and MAC addresses are trivially sniffed from the air. As you've also found out, maintainability of MAC tables is an issue. Some APs (including the 3Com 8760 - more about that in a minute) support MAC authentication against a RADIUS server, but it's usually not worth the effort, as it provides little if any extra security on top of WPA. In fact, the 3Com 8760 doesn't support MAC authentication against a RADIUS server when using 802.1x. You could configure the RADIUS server to verify the MAC address when dealing with EAP, but this adds so little to security it isn't worth the hassle and the maintenance effort in my opinion.
After some negotiating we got new wireless, but still not top of the line (I wanted CISCOs, we got Netgear WPN802s instead), and I found that we still run out space in the table (it now help 50, we now have about 100+ laptops being used by students).
It doesn't have to be Cisco to be decent; there are some reasonable enough enterprise APs from other vendors. The latest AP I bought was a 3Com 8760, which is a dual band (802.11a and 802.11b/g) AP, capable of WPA and WPA2 with four virtual access points per band (each with a different SSID, encryption and authentication settings, and optionally a different VLAN as well). It supports 802.1q tagged VLAN operation, RADIUS authentication and accounting, and you can return which VLAN to connect a user to in the Access-Accept packet from your RADIUS server. The 8760 is a Power over Ethernet device, and is supplied with simple Power over Ethernet injector. The only drawbacks I've found are that the web interface doesn't work perfectly in Firefox (it's documented as IE only in the current firmware release), RADIUS accounting has to be set at the CLI (again, documented as a limitation in the current firmware) and the PoE injector isn't fully 802.3af compliant, in that it doesn't employ any resistive sensing and is permanently live instead (which means you have to be careful what you connect it to - I inadvertently blew up a cheap network tester by connecting it to the other end of one of these). It's not just the RADIUS accounting that you need to set up in the CLI - in fact, there's a few useful bits and pieces not supported in the web interface. Things like WPA2 pre-authentication are most easily configured in the CLI. Fortunately the user guide has full documentation of all the CLI commands. There is a single band version of the 8760, the 7760 (capable of 802.11a or 802.11b/g, but not both at once unlike the 8760). I had a quick look at the manual of the Netgear WPN802v1, and it's a device that I'd class only as a consumer grade AP - in fact, it falls well short of what most consumer grade APs can achieve. Despite the documentation of EAP and WPA2 in the appendix to the manual, it doesn't appear from the specification to support anything higher than WPA-PSK, which is useless in this context. Handing out a passphrase to 100+ users just isn't on. You hint later that the Netgear APs have WPA Enterprise support - that's WPA with RADIUS rather than a Pre Shared Key. If not, you're going to need new APs - indeed, you may find the that existing APs really aren't up to the job even if they do have WPA Enterprise support. The 'sales' pitch is that you will be securing your wireless network properly. I'd go for a proper enterprise AP this time, and you could certainly evaluate the 3Com units I've mentioned. Just to indicate how an enterprise grade AP needn't cost a fortune, current pricing in the UK is around GBP75 for the Netgear WPN802, whilst the 3Com 7760 can be had for GBP110 and the 3Com 8760 for GBP175. Power over Ethernet makes installation much easier. Overall, the price of decent network infrastructure is coming down; a decent 24 port 10/100 plus 2 port 10/100/1000 L2 managed switch such as a HP Procurve 2510-24 is around GBP200 now. If everything has WPA2 support, deploy WPA2, but you may have some clients that only support WPA AES, in which case WPA2-Mixed mode may come to the rescue. If you have some clients that only support WPA TKIP, you'll probably have to use WPA Enterprise TKIP. It's in this sort of scenario that the virtual APs of the 3Com units are useful - you can use WPA2 when possible, whilst accommodating kit that can't manage WPA2 as well, optionally on a separate VLAN that maybe doesn't have access to more secure internal services. Indeed, you can use the 3Com APs to provide simultaneous wireless hotspot service via a captive portal setup (such as Chillispot) and RADIUS authenticated access to the internal network for authorised users - again, it's the virtual AP feature that comes in so useful.
I know that the solution is to implement a radius authentication with the APs that we have. The APs support radius servers using either WAP or legacy 802.1X (with WEP keys). I did tons of research on WAP (being the preferred method), but I could not get around the fact that certificates MUST be installed in the client computer in order for the protocol to work. This is simply impossible since most of our students (and staff for that matter) are unable to install certificates (or unwilling) and having to install certificates manualy myself is just too time consuming.
You mean WPA, not WEP.
So my first questions is what methods would you suggest for this kind of set up?
Many wireless supplicants, such as the Microsoft one built into Windows XP, only support EAP-TLS and "PEAP" (technically PEAPv0/EAP-MSCHAPv2). There are other forms of EAP, such as EAP-TTLS, but without broad supplicant support, they're no use to you. EAP-TLS requires client side certificates. I use it - but for you it's out of the question. You need a robust infrastructure to issue client certificates and the support burden is heavy, too. You should therefore look at PEAP - the only certificate required in that case is one for the RADIUS server, with the clients using user names and passwords. As others have said, if you have an authentication database already, you may be able to leverage that for PEAP in FreeRADIUS (using SQL, LDAP, Active Directory or Kerberos as appropriate). It depends on the password format, mainly. You may be able to get away with creating your own CA (or using an existing CA under your control) when creating the server certificate, but that may require you to install root certificates on at least some machines. There's no harm testing with a certificate issued on your own CA - if it causes problems, get a certificate for the RADIUS server from a CA whose root certificate is in all the operating systems in question. Make sure the certificate signing request has the appropriate extensions, however! Using PEAP may give you problems with Windows XP machines that aren't upgraded to SP2 (and you may additionally need the KB885453 hotfix). You can probably get away with setting the cipher_list in eap.conf to HIGH for added security; certainly that works with all my wireless clients, though it does depend which ciphers your wireless supplicants support.
My original idea was to implement the legacy 802.1x option. i managed to set up the AP correctly and the radius server to authenticate based on MAC addresses, but I could not find a way to get the WEP key back to the client laptop. I'm not even sure it is possible, really, and I'm hesitant to try to have our students and staff enter a WEP key into their laptops themselves (since when they fail they will come for me to set it up, and if I wanted to change the WEP key, I would have to re-change it on every laptop). Is tehre any way for the radius server to send back the WEP key to the client? I know it must seem horribly insecure (and it is), but I have to show my boss a solution that is better than simply leaving our network open. Can some one help or suggest a better way of resolving this?
I'd forget all about WEP with 802.1x; it's not well standardised, it's insecure because WEP is insecure and client support is often not as good as WPA. WPA2 Enterprise (or if you haven't got the necessary support WPA Enterprise) is where you should be looking; the necessary keys to enable it to work are generated by the RADIUS server and passed to the AP. In summary, I recommend setting up a PEAP setup using FreeRADIUS, and using that with WPA2 Enterprise on the APs, or WPA Enterprise if that's all they support. If that proves impractical, some kind of Chillispot or similar captive portal setup based around RADIUS is possible, but that won't encrypt the data on the wireless network, which should be one of your aims. Chillispot can be used with WPA, but I have no experience of doing this. MAC authentication, in my opinion, isn't worth bothering with - the security it provides is trivially broken, and management is a nightmare. If you need new APs, something like the 3Com 7760 or 8760 would be more suitable than the arguably consumer grade Netgear units you have, not least because you can accommodate legacy clients that can't be upgraded to a new secure wireless network whilst requiring all new clients to operate on WPA2 Enterprise using PEAP. David -- David Wood david@wood2.org.uk
Hi,m Thank you for the informative reply. It'll take a couple of days to gigest all of it (me being so new to this and all :) ), but I think I can take a look at the PEAP solution. As far as the the APs, believe me, this is a fight I've already lost. Being a school, we have next to nothing in the IT budget (it took me a year to convince them that yes, we do need managed switches), and even getting money for infrastructure is a hassle. Thank you, German Kalinec David Wood-6 wrote:
Hi German,
You've already had much wisdom; I'm going to try a comprehensive reply to the whole problem.
In message <8437548.post@talk.nabble.com>, gkalinec <gkalinec@newroads.org> writes
I work for a mid-size private school (about 700-800 people on campus), and I'm trying to set up a way to limit the use of our wireless to our students/staff. The main problem that I'm encountering is finding a solution that will fit our needs.
Yours is hardly the biggest wireless deployment; there are solutions that exist for this.
A little background first... When I first started (about a year ago, and I'm still the only IT person managing the whole school network) we had crappy wireless at different places on campus for students and staff to access our network. The person who set these up (my current boss) simply did a MAC access control list on each AP and made the students and staff come to him to register their computers. This was a major pain since each of our APs (7 of them) had to have the new MAC address manually added to each AP every time we had a new laptop. The problem with this solution (aside from having to enter the
MACs
7 times) was that we eventually run out of room in the MAC table.
MAC authentication is trivially broken. Most wireless cards can work with a spoofed MAC address, and MAC addresses are trivially sniffed from the air.
As you've also found out, maintainability of MAC tables is an issue. Some APs (including the 3Com 8760 - more about that in a minute) support MAC authentication against a RADIUS server, but it's usually not worth the effort, as it provides little if any extra security on top of WPA.
In fact, the 3Com 8760 doesn't support MAC authentication against a RADIUS server when using 802.1x. You could configure the RADIUS server to verify the MAC address when dealing with EAP, but this adds so little to security it isn't worth the hassle and the maintenance effort in my opinion.
After some negotiating we got new wireless, but still not top of the line (I wanted CISCOs, we got Netgear WPN802s instead), and I found that we still run out space in the table (it now help 50, we now have about 100+ laptops being used by students).
It doesn't have to be Cisco to be decent; there are some reasonable enough enterprise APs from other vendors.
The latest AP I bought was a 3Com 8760, which is a dual band (802.11a and 802.11b/g) AP, capable of WPA and WPA2 with four virtual access points per band (each with a different SSID, encryption and authentication settings, and optionally a different VLAN as well). It supports 802.1q tagged VLAN operation, RADIUS authentication and accounting, and you can return which VLAN to connect a user to in the Access-Accept packet from your RADIUS server. The 8760 is a Power over Ethernet device, and is supplied with simple Power over Ethernet injector.
The only drawbacks I've found are that the web interface doesn't work perfectly in Firefox (it's documented as IE only in the current firmware release), RADIUS accounting has to be set at the CLI (again, documented as a limitation in the current firmware) and the PoE injector isn't fully 802.3af compliant, in that it doesn't employ any resistive sensing and is permanently live instead (which means you have to be careful what you connect it to - I inadvertently blew up a cheap network tester by connecting it to the other end of one of these).
It's not just the RADIUS accounting that you need to set up in the CLI - in fact, there's a few useful bits and pieces not supported in the web interface. Things like WPA2 pre-authentication are most easily configured in the CLI. Fortunately the user guide has full documentation of all the CLI commands.
There is a single band version of the 8760, the 7760 (capable of 802.11a or 802.11b/g, but not both at once unlike the 8760).
I had a quick look at the manual of the Netgear WPN802v1, and it's a device that I'd class only as a consumer grade AP - in fact, it falls well short of what most consumer grade APs can achieve. Despite the documentation of EAP and WPA2 in the appendix to the manual, it doesn't appear from the specification to support anything higher than WPA-PSK, which is useless in this context. Handing out a passphrase to 100+ users just isn't on.
You hint later that the Netgear APs have WPA Enterprise support - that's WPA with RADIUS rather than a Pre Shared Key. If not, you're going to need new APs - indeed, you may find the that existing APs really aren't up to the job even if they do have WPA Enterprise support. The 'sales' pitch is that you will be securing your wireless network properly. I'd go for a proper enterprise AP this time, and you could certainly evaluate the 3Com units I've mentioned.
Just to indicate how an enterprise grade AP needn't cost a fortune, current pricing in the UK is around GBP75 for the Netgear WPN802, whilst the 3Com 7760 can be had for GBP110 and the 3Com 8760 for GBP175. Power over Ethernet makes installation much easier. Overall, the price of decent network infrastructure is coming down; a decent 24 port 10/100 plus 2 port 10/100/1000 L2 managed switch such as a HP Procurve 2510-24 is around GBP200 now.
If everything has WPA2 support, deploy WPA2, but you may have some clients that only support WPA AES, in which case WPA2-Mixed mode may come to the rescue. If you have some clients that only support WPA TKIP, you'll probably have to use WPA Enterprise TKIP.
It's in this sort of scenario that the virtual APs of the 3Com units are useful - you can use WPA2 when possible, whilst accommodating kit that can't manage WPA2 as well, optionally on a separate VLAN that maybe doesn't have access to more secure internal services.
Indeed, you can use the 3Com APs to provide simultaneous wireless hotspot service via a captive portal setup (such as Chillispot) and RADIUS authenticated access to the internal network for authorised users - again, it's the virtual AP feature that comes in so useful.
I know that the solution is to implement a radius authentication with the APs that we have. The APs support radius servers using either WAP or legacy 802.1X (with WEP keys). I did tons of research on WAP (being the preferred method), but I could not get around the fact that certificates MUST be installed in the client computer in order for the protocol to work. This is simply impossible since most of our students (and staff for that matter) are unable to install certificates (or unwilling) and having to install certificates manualy myself is just too time consuming.
You mean WPA, not WEP.
So my first questions is what methods would you suggest for this kind of set up?
Many wireless supplicants, such as the Microsoft one built into Windows XP, only support EAP-TLS and "PEAP" (technically PEAPv0/EAP-MSCHAPv2). There are other forms of EAP, such as EAP-TTLS, but without broad supplicant support, they're no use to you.
EAP-TLS requires client side certificates. I use it - but for you it's out of the question. You need a robust infrastructure to issue client certificates and the support burden is heavy, too.
You should therefore look at PEAP - the only certificate required in that case is one for the RADIUS server, with the clients using user names and passwords.
As others have said, if you have an authentication database already, you may be able to leverage that for PEAP in FreeRADIUS (using SQL, LDAP, Active Directory or Kerberos as appropriate). It depends on the password format, mainly.
You may be able to get away with creating your own CA (or using an existing CA under your control) when creating the server certificate, but that may require you to install root certificates on at least some machines. There's no harm testing with a certificate issued on your own CA - if it causes problems, get a certificate for the RADIUS server from a CA whose root certificate is in all the operating systems in question. Make sure the certificate signing request has the appropriate extensions, however!
Using PEAP may give you problems with Windows XP machines that aren't upgraded to SP2 (and you may additionally need the KB885453 hotfix). You can probably get away with setting the cipher_list in eap.conf to HIGH for added security; certainly that works with all my wireless clients, though it does depend which ciphers your wireless supplicants support.
My original idea was to implement the legacy 802.1x option. i managed to set up the AP correctly and the radius server to authenticate based on MAC addresses, but I could not find a way to get the WEP key back to the client laptop. I'm not even sure it is possible, really, and I'm hesitant to try to have our students and staff enter a WEP key into their laptops themselves (since when they fail they will come for me to set it up, and if I wanted to change the WEP key, I would have to re-change it on every laptop). Is tehre any way for the radius server to send back the WEP key to the client? I know it must seem horribly insecure (and it is), but I have to show my boss a solution that is better than simply leaving our network open. Can some one help or suggest a better way of resolving this?
I'd forget all about WEP with 802.1x; it's not well standardised, it's insecure because WEP is insecure and client support is often not as good as WPA. WPA2 Enterprise (or if you haven't got the necessary support WPA Enterprise) is where you should be looking; the necessary keys to enable it to work are generated by the RADIUS server and passed to the AP.
In summary, I recommend setting up a PEAP setup using FreeRADIUS, and using that with WPA2 Enterprise on the APs, or WPA Enterprise if that's all they support.
If that proves impractical, some kind of Chillispot or similar captive portal setup based around RADIUS is possible, but that won't encrypt the data on the wireless network, which should be one of your aims. Chillispot can be used with WPA, but I have no experience of doing this.
MAC authentication, in my opinion, isn't worth bothering with - the security it provides is trivially broken, and management is a nightmare.
If you need new APs, something like the 3Com 7760 or 8760 would be more suitable than the arguably consumer grade Netgear units you have, not least because you can accommodate legacy clients that can't be upgraded to a new secure wireless network whilst requiring all new clients to operate on WPA2 Enterprise using PEAP.
David -- David Wood david@wood2.org.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
David Wood -
Gaddis, Jeremy L. -
gkalinec -
jonr@destar.net -
King, Michael -
Nazeer Khan