New design/deployment of freeradius
Hello, I'm new to radius so I have some basic questions regarding the design and deployment of our freeradius server. We want to use freeradius for our BYOD deployment. We have the following: Ubuntu, OpenLDAP, Ruckus Zone Director and a Safe_Connect NAC. Our passwords are not clear text in ldap. We would like to avoid client certificates and we would like to do dynamic VLAN assignments. I'd like to verify that I'm on the right track here with setting up the protocols and types to use. We have to use PAP because of not having clear text passwords? To avoid client certificates, we can use PEAP type of EAP? Also, we have a wildcard domain SSL certificate, can this be used or do we have to create a new one for this purpose on the server? Is there a recommended configuration for this type of deployment? Do you have any tips or tricks that would make our deployment go smoother? Thanks!
On 05/22/2013 12:58 AM, Tena Gore wrote:
I'd like to verify that I'm on the right track here with setting up the protocols and types to use.
See: http://deployingradius.com/documents/protocols/compatibility.html
We have to use PAP because of not having clear text passwords?
Well, you said what it's wasn't, but didn't say what it *was*. MSCHAP requires the NT hash, or the cleartext to generate the NT hash. If you have a crypt (old or new style) then yes, you will need to use PAP.
To avoid client certificates, we can use PEAP type of EAP?
PEAP does not support PAP, only MSCHAP. To use PAP you must use EAP-TTLS. This isn't supported on Windows <= 7 without 3rd party software.
Also, we have a wildcard domain SSL certificate, can this be used or do we have to create a new one for this purpose on the server?
People have reported problems with wildcard certs and windows clients. See the list archives.
Is there a recommended configuration for this type of deployment? Do you have any tips or tricks that would make our deployment go smoother?
"Recommended" would be to move to store plaintext passwords, which will let you use the full variety of EAP methods.
Thank you all for your replies. Our passwords are SALTED SHA1 encoded, so the chart you so kindly directed me to states we would have to use EAP-GTC with PAP. Seems I have quite a steep learning curve in a short amount of time. On Wed, May 22, 2013 at 12:13 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 05/22/2013 12:58 AM, Tena Gore wrote:
I'd like to verify that I'm on the right track here with setting up the
protocols and types to use.
See:
We have to use PAP because of not having clear text passwords?
Well, you said what it's wasn't, but didn't say what it *was*.
MSCHAP requires the NT hash, or the cleartext to generate the NT hash.
If you have a crypt (old or new style) then yes, you will need to use PAP.
To avoid client certificates, we can use PEAP type of EAP?
PEAP does not support PAP, only MSCHAP.
To use PAP you must use EAP-TTLS. This isn't supported on Windows <= 7 without 3rd party software.
Also, we have a wildcard domain SSL certificate, can this be used or do
we have to create a new one for this purpose on the server?
People have reported problems with wildcard certs and windows clients. See the list archives.
Is there a recommended configuration for this type of deployment? Do you
have any tips or tricks that would make our deployment go smoother?
"Recommended" would be to move to store plaintext passwords, which will let you use the full variety of EAP methods. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi,
I'm new to radius so I have some basic questions regarding the design and deployment of our freeradius server. We want to use freeradius for our BYOD deployment. We have the following: Ubuntu, OpenLDAP, Ruckus Zone Director and a Safe_Connect NAC. Our passwords are not clear text in ldap. We would like to avoid client certificates and we would like to do dynamic VLAN assignments. I'd like to verify that I'm on the right track here with setting up the protocols and types to use. We have to use PAP because of not having clear text passwords? To avoid client certificates, we can use PEAP type of EAP?
those 2 dont go together - you cannot have PAP with PEAP. EAP-TTLS has a PAP method but then some clients dont have EAP-TTLS ability (and some do with an extra supplicant installed).
Also, we have a wildcard domain SSL certificate, can this be used or do we have to create a new one for this purpose on the server?
some clients dont like such......but so long as the RADIUS server is signed with certificate that has the required extensions you'll be okay
Is there a recommended configuration for this type of deployment? Do you have any tips or tricks that would make our deployment go smoother?
?? theres hundreds of ways of deploying. however, so long as your LDAP backend has the entries that allow you to distinguish between eg a registered device (eg known MAC) or type of ID eg staff or student, you can do the required policies. FreeRADIUS can return the required reply values to your kit to instruct the VLAN/WLAN ID/number. alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Phil Mayers -
Tena Gore