Success Story (A tribute to the FreeRADIUS project)
Lefteris St
leste_gr at yahoo.com
Wed Oct 5 18:13:38 CEST 2005
Hello everyone,
I am writing this -long overdue- letter to express my
gratitude to all FR developers and other people who
help through this mailing list.
I may not be an active poster, but this list's archive
has been a tremendous help during my involvement with
FreeRADIUS. Thanks to the intense support (and of
course great open source software), my project was a
success and I managed to learn a couple of things too
:-).
To whom it may concern, I have deployed the following
setup for my Univercity wifi hotspot:
WiFi users connect to APs in the Univercity premises.
Authentication follows two scenarios (depending on the
particular AP site):
Scenario A or NoCat Scenario (low security):
-A NoCat captive gateway runs on a PC connected
directly to the AP (or the AP itself, for embedded
devices). This PC is also responsible for DHCP,
firewall rules etc...
-The user's web browser is redirected to the login
page hosted at the AAA server for this building. There
runs the NoCat Auth Server and (of course) a
FreeRADIUS server. the NCA server gives the user
credentials to FR, who in turns authorizes them
against the local Windows AD (where Univercity users
reside) and a mysql database (for temporary wifi
accounts -can be duration-restricted).
-After the NoCat gateway lets the user in, it
periodically sends accounting information to the FR
server (to be stored in the mysql DB).
Scenario B or EAP scenario (high security):
-A FreeRADIUS proxy runs on a PC connected directly to
the AP (or the AP itself, for embedded devices). This
PC is also responsible for DHCP, firewall rules
etc...
-The AP has WPA-Enterprise enabled and connects to the
proxy FR for authentication.
-Users IEEE.1X clients for EAP authentication (mainly
PEAP).
-The FR proxy forwards authentication packets to the
central FR server (the same one as scenario A) who
authenticates ands authorizes against the Windows AD
and mysql DB.
-Accounting packets are sent either by the AP (through
the proxy) or a NoCat gateway (set in "Open" mode)
which runs at the same PC with the proxy.
Accounting information is monitored through the
dialup_admin front-end, which is also used for
temporary wifi accounts (that go in the mysql db).
(The above may imply a large scale deployment but
there are only two APs for now :-) [both running
scenario A].)
That's about it in a nutshell. I named the whole
system the WAL (Wireless Aueb -my Univercity- Lan).
As you can see, I have also made heavy use of the
NoCat project (thanks to everyone in that mailing
list/developer team too!!) but it saddens me to see
that it got stuck in version 0.82 :-(.
Anyway, thanks again and keep up the good work. I am
not done with FR just yet, so I'll ne seeing you all
:-).
Stefanis Eleftherios
MsC Student in Computer Science
AUEB
PS: Sorry for the long post, I just thought it would
be nice for people to see what FR (combined with other
great open source software) can do in a complete WiFi
deployment.
PS2: The total software cost for the WAL was 0$ and
took one person (me) a total of about 2 months to
architecture and setup.
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
More information about the Freeradius-Users
mailing list