ldap/krb5 auth and access point Authentication methods ?
Hello, We are using openldap/kerberos (MIT) and just bought 2 CISCO Aironet 1250. I'd like to use freeradius to auth. our users. I read that freeradius can use openldap and kerberos, so i suppose I will setup these for auth. Most of my Wi-Fi users will be Windows/Mac Os and I'd like to avoid custom installation on the laptops. The question is : Which auth method should I use on the access points ? tx !
FM wrote:
I'd like to use freeradius to auth. our users. I read that freeradius can use openldap and kerberos, so i suppose I will setup these for auth.
Maybe. You are constrained by the limitations of the authentication protocols. i.e. FreeRADIUS can do a lot, but only if the authentication protocols are compatible.
Most of my Wi-Fi users will be Windows/Mac Os and I'd like to avoid custom installation on the laptops.
The question is : Which auth method should I use on the access points ?
Access points don't use authentication methods. The wireless clients (supplicants) do. And most Windows machines only do PEAP. http://deployingradius.com/documents/protocols/compatibility.html I would suggest using TTLS, which is supported by the Macs. Use something like SecureW2 for the Windows machines, to upgrade them to using TTLS. Alan DeKok.
Hi,
I'd like to use freeradius to auth. our users. I read that freeradius can use openldap and kerberos, so i suppose I will setup these for auth.
- or just use one of them - decide which one to use and ensure clients are configured correctly
Most of my Wi-Fi users will be Windows/Mac Os and I'd like to avoid custom installation on the laptops.
in that case, PEAP with MSCHAPv2 - windows only does EAP-TLS and PEAP without additional software (new supplicant or additional supplicant plugin). you'll also want your RADIUS server cert to be signed by a main cert authority. I prefer to use a self-signed (because its then a closed loop system and a LOT harder for someone to pretend to be your RADIUS) - but if you do it this way yu'd have to get the self CA onto the systems trusted cert reg - and thats client config work - which you seem to want to avoid.
Which auth method should I use on the access points ?
err, none. you configure them to have a network with an SSID of whatever, serving out a network which is WPA enterprise (all the usual crypto stuff) with a RADIUS server of x.y.z.a (and maybe a second and third one for backup). the client supplicant and the RADIUS server deal with the auth method. the AP gets a simple 'let this user one' message at the end of the day. alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
FM