Hello! Without considering any security is it possible to hand out a voucher to a client with just the ESSID, the username and the password written down and this client can authenticate to the radiusserver over the authenticator? Please be patient with me! Andreas
Hi,
Hello!
Without considering any security is it possible to hand out a voucher to a client with just the ESSID, the username and the password written down and this client can authenticate to the radiusserver over the authenticator? Please be patient with me!
depends on the methods used, server configuration and the client involved alan
Hi! alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Hello!
Without considering any security is it possible to hand out a voucher to a client with just the ESSID, the username and the password written down and this client can authenticate to the radiusserver over the authenticator? Please be patient with me!
depends on the methods used, server configuration and the client involved
In the simpliest environment I want to see what is possible and how it can be done. I don't really know what methods to use for an easy authentication without EAP. I think maybe the server can be configured to look into the users database whether there is an entry for that user and says ok to the authenticator. This is all because I want to learn what and how can be done with the server. At the moment I am testing all this with an openSUSE 11.3. A Windows XP I have only available in a VBox-environment. So testing with a Linux would be enough for me a the moment. Andreas
On Thu, Jul 5, 2012 at 3:43 PM, Andreas Meyer <anmeyer@anup.de> wrote:
Hi!
alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Hello!
Without considering any security is it possible to hand out a voucher to a client with just the ESSID, the username and the password written down and this client can authenticate to the radiusserver over the authenticator? Please be patient with me!
depends on the methods used, server configuration and the client involved
In the simpliest environment I want to see what is possible and how it can be done. I don't really know what methods to use for an easy authentication without EAP.
One option would be captive portal, e.g. chillispot and derivatives. -- Fajar
"Fajar A. Nugraha" <list@fajar.net> wrote:
On Thu, Jul 5, 2012 at 3:43 PM, Andreas Meyer <anmeyer@anup.de> wrote:
Without considering any security is it possible to hand out a voucher to a client with just the ESSID, the username and the password written down and this client can authenticate to the radiusserver over the authenticator? Please be patient with me!
depends on the methods used, server configuration and the client involved
In the simpliest environment I want to see what is possible and how it can be done. I don't really know what methods to use for an easy authentication without EAP.
One option would be captive portal, e.g. chillispot and derivatives.
Yes, I have heard of that and shall try pfSense for example. But I want to understand the contiguities of what method pfSense is using to talk to the Radiusserver to be able to create vouchers. Is there a big picture somewhere available for the freeradius-server like it is for postfix for example? I want to understand the contiguities between proxiing, outer-tunnel, inner-tunnel for example. If I have a users file and a sql-database, where does freeradius look first and what if there is an entry in both databases but they differ in the password used. So many questions. Andreas
On Thu, Jul 5, 2012 at 11:05 PM, Andreas Meyer <anmeyer@anup.de> wrote:
Is there a big picture somewhere available for the freeradius-server like it is for postfix for example? I want to understand the contiguities between proxiing, outer-tunnel, inner-tunnel for example.
That's a different topic than what you asked before. And if you're only using a captive portal, you won't be using any of those anyway, you'd be only using the default virtual server. See http://wiki.freeradius.org/Concepts on for-dummies explanation on how it works. For how proxy works, see http://wiki.freeradius.org/Proxy
If I have a users file and a sql-database, where does freeradius look first and
Depending on how you configure it. In other words, depends on the order on authorize section.
what if there is an entry in both databases but they differ in the password used. So many questions.
If the attribute is the same one, the one listed later should overwrite the former. CMIIW. -- Fajar
"Fajar A. Nugraha" <list@fajar.net> wrote:
On Thu, Jul 5, 2012 at 11:05 PM, Andreas Meyer <anmeyer@anup.de> wrote:
Is there a big picture somewhere available for the freeradius-server like it is for postfix for example? I want to understand the contiguities between proxiing, outer-tunnel, inner-tunnel for example.
That's a different topic than what you asked before. And if you're only using a captive portal, you won't be using any of those anyway, you'd be only using the default virtual server. See http://wiki.freeradius.org/Concepts on for-dummies explanation on how it works.
Ok, thank you for the hints! Everything is getting clearer by and by. I just found out that I get entry into the WLAN with an android smartphone by just using the username and password without using the ca.crt with PEAP/MSchap2. I read in the protocols-table that only with EAP-TLS certificates are used.
For how proxy works, see http://wiki.freeradius.org/Proxy
If I have a users file and a sql-database, where does freeradius look first and
Depending on how you configure it. In other words, depends on the order on authorize section.
what if there is an entry in both databases but they differ in the password used. So many questions.
If the attribute is the same one, the one listed later should overwrite the former. CMIIW.
Thanks! -- Andreas
On 07/09/2012 06:30 PM, Andreas Meyer wrote:
Ok, thank you for the hints! Everything is getting clearer by and by. I just found out that I get entry into the WLAN with an android smartphone by just using the username and password without using the ca.crt with PEAP/MSchap2. I read in the protocols-table that only with EAP-TLS certificates are used.
No, this is not true. All TLS-based EAP methods REQUIRE a server cert - EAP-TLS, EAP-PEAP, EAP-TTLS. If you aren't validating this server cert, you are vulnerable to attack. EAP-TLS is unique in that it also requires a CLIENT cert. TTLS/PEAP use username/password to identify the client.
participants (5)
-
alan buxey -
Andreas Meyer -
anmeyer@anup.de -
Fajar A. Nugraha -
Phil Mayers