How to configure FreeRadius so that clients don't have to be changed?
I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible? Thanks in advance. -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha... Sent from the FreeRadius - User mailing list archive at Nabble.com.
DaSilva wrote:
I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible?
No. It's like asking "how do I make the PC be a web server... but I don't want to install a web server". You have to configure WLAN authentication on the clients in order for WLAN authentication to work. Alan DeKok.
Alan DeKok-4 wrote:
DaSilva wrote:
I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible?
No.
It's like asking "how do I make the PC be a web server... but I don't want to install a web server".
You have to configure WLAN authentication on the clients in order for WLAN authentication to work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And is it possible to do this automatically via remote or something else? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha... Sent from the FreeRadius - User mailing list archive at Nabble.com.
DaSilva wrote:
And is it possible to do this automatically via remote or something else?
Is it possible to remotely install programs, and edit registry entries on the PC? In some cases, yes. But this has nothing to do with FreeRADIUS. Alan DeKok.
I take it that you mean, is it possible to make it transparent to the user, in which, the answer is yes. Depending on your access points, you may be able to do MAC address authentication, which anyone will tell you is insanely insecure, but it prevents people from driving up and accessing your network (unless they are technically inclined to use a packet capturing program and spoof a mac address). So insecure, yes. But practical so long as you dont have a bunch of crackers living around wherever you are setting up authentication. Mac OSX as well as many Linux distros have 802.1x authentication/WPA enterprise built in, so it is not much of a problem. Im not sure about the current state of windows in this department (havent used it in a while... could someone chime in) On Wed, Jul 16, 2008 at 12:37 PM, DaSilva <Edwinem_von_Forresterra@web.de> wrote:
Alan DeKok-4 wrote:
DaSilva wrote:
I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible?
No.
It's like asking "how do I make the PC be a web server... but I don't want to install a web server".
You have to configure WLAN authentication on the clients in order for WLAN authentication to work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And is it possible to do this automatically via remote or something else? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Random quote of the week/month/whenever i get to updating it: "Like an unchecked cancer, hate corrodes the personality and eats away its vital unity. Hate destroys a man's sense of values and his objectivity. It causes him to describe the beautiful as ugly and the ugly as beautiful, and to confuse the true with the false and the false with the true." - Martin Luther King Jr.
On Wed, Jul 16, 2008 at 12:37 PM, DaSilva <Edwinem_von_Forresterra@web.de> wrote:
Alan DeKok-4 wrote:
DaSilva wrote:
I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible?
No.
It's like asking "how do I make the PC be a web server... but I don't want to install a web server".
You have to configure WLAN authentication on the clients in order for WLAN authentication to work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And is it possible to do this automatically via remote or something else? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha...
I believe you misunderstood me. We have many APs which all have their own access list, MAC addresses etc. and we want to use a RADIUS server to do this for all APs. So that we have a global station where we can change something for all APs in our AD. I don't mean authentification via WPA and TLS or something like this. So how can I do this or where can I find a tutorial / howto for this? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Wed, Jul 16, 2008 at 12:37 PM, DaSilva <Edwinem_von_Forresterra@web.de> wrote:
Alan DeKok-4 wrote:
DaSilva wrote:
I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible?
No.
It's like asking "how do I make the PC be a web server... but I don't want to install a web server".
You have to configure WLAN authentication on the clients in order for WLAN authentication to work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And is it possible to do this automatically via remote or something else? -- View this message in context:
http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha ve-to-be-changed--tp18482025p18483881.html
I believe you misunderstood me. We have many APs which all have their own access list, MAC addresses etc. and we want to use a RADIUS server to do this for all APs. So that we have a global station where we can change something for all APs in our AD. I don't mean authentification via WPA and TLS or something like this. So how can I do this or where can I find a tutorial / howto for this? --
Just another option, and this may be a useless suggestion, but I'll throw it out there anyway. Some AP's support a "walled garden" feature which takes the ignores the original request and forces the client to a login page (like at airports, $tarbucks etc). Once the client goes there and enters their credentials, RADIUS is used to authenticate them, and they are allowed or denied at that time. It allows you to deploy one configuration to all your points, and use a RADIUS backend (and AD, mysql, text files whatever you use to drive that) to centralize configuration at that point. The glitch is, you have to have AP's that support walled garden, but if you do, it's handy. That said, it sounds like you are already using access lists with MAC addresses for authentication, so the security problems that Alan Dekok noted are already present in your system and MAC authentication might be what you want after all.
In your AP user manual. You will still need to set up radius secret, switch local to radius authentication etc. on every AP. It can be done remotely (telnet, ssh, some even have web control panels). Ivan Kalik Kalik Informatika ISP Dana 16/7/2008, "DaSilva" <Edwinem_von_Forresterra@web.de> piše:
On Wed, Jul 16, 2008 at 12:37 PM, DaSilva <Edwinem_von_Forresterra@web.de> wrote:
Alan DeKok-4 wrote:
DaSilva wrote:
I want to set up a FreeRadius server for WLAN authentification without the need to change anything on client PCs (because we have so much clients that this would be to much work). Is that possible?
No.
It's like asking "how do I make the PC be a web server... but I don't want to install a web server".
You have to configure WLAN authentication on the clients in order for WLAN authentication to work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And is it possible to do this automatically via remote or something else? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha...
I believe you misunderstood me. We have many APs which all have their own access list, MAC addresses etc. and we want to use a RADIUS server to do this for all APs. So that we have a global station where we can change something for all APs in our AD. I don't mean authentification via WPA and TLS or something like this. So how can I do this or where can I find a tutorial / howto for this? -- View this message in context: http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DaSilva wrote:
I believe you misunderstood me. We have many APs which all have their own access list, MAC addresses etc. and we want to use a RADIUS server to do this for all APs.
This is called "MAC address authentication", not "WLAN authentication".
So that we have a global station where we can change something for all APs in our AD. I don't mean authentification via WPA and TLS or something like this. So how can I do this or where can I find a tutorial / howto for this?
Put the MAC addresses into a database, just like user names && passwords. There's no need for a "howto". Alan DeKok.
participants (5)
-
Alan DeKok -
DaSilva -
Ivan Kalik -
Jester -
Paul Bartell