Some questions about freeRADIUS implementation, PLEASE HELP ME!!

Guy Davies Guy.Davies at telindus.co.uk
Thu Sep 8 17:39:26 CEST 2005


Hi Alfonso,

See inline... 

>-----Original Message-----
>We decide to use freeRADIUS as Radius Server on a Big
>wireless Network (in a university )
>with about five hundred APs, but there are some
>questions (maybe basic questions)  
>I need from  your help to understand them better.
>
>1. About certificates
>In the first stage we will use EAP-PEAP authentication
>with Primary and backup Radius Servers.
>I think to do next:
>At the Primary Server, I will generate the root,
>Primary Server and Backup Server certificates,
> then I will copy the root and Backup Server
>certificates to Backup server, That's correct?.
>or I have to generate  one more time the root and
>backup server certificates 
>in the backup server.

No, you don't need another root.  I'd normally run the CA (root) on a different (highly secured) box but that's not mandatory.  You really only need one (well backed up) root server.

You also need to distribute the root cert to all the clients.  They will use the root cert (used to sign the RADIUS servers' certs) to authenticate the RADIUS servers.  If the root cert has been signed by a global root CA, then the clients only need the certificate from the global root CA.

>2. At the second stage we will implement a PKI and
>we'll use EAP-TLS and my doubt is about
>   LDAP data base and simultaneous-use, for example
>with EAP-PEAP I add the next lines to users file :
> 
>.......
>DEFAULT        Ldap-Group == group1, Simultaneous-Use
>:= 1
>              Aruba-User-Role = "ESTUDIANTE",
>
>DEFAULT        Ldap-Group == group2, Simultaneous-Use
>:= 1
>              Aruba-User-Role = "PROFESORES",
>DEFAULT ....
>.....
>
>And work perfectly, But what happen if we use EAP-TLS
>--> client certificates, exists any way to obtain the
>same results? 

If you are providing each client with a certificate signed by your CA and the RADIUS servers both have the certificate of the root CA, then they'll be able to authenticate the clients based on the signature of the root CA.  LDAP is used for authorization anyway so you'll use that independently based on the username in the certificate CN.

>,if it is affirmative, how can I do it (some
>references, howto's)
>!!because when I use EAP-TLS I don't need to add
>nothing at users file nor in LDAP data base!!.

You can add authorization in the LDAP database.  It is not used (by EAP-TLS or PEAP/MS-CHAPv2) for authentication.  Note, if you're using PEAP/MS-CHAPv2 and LDAP and you want to store the password in the LDAP database, it *must* be in plain text.

>
>3. Finaly exists some advantages If I use Solaris
>instead a Normal PC with Linux(Debian).

Hardware and OS support, maybe.  There are certainly PCs out there that can match a (probably much more expensive) Solaris box for performance.  You'll need to ensure that you've got GCC compiled for your Solaris box (AFAIK, it's not supplied in the base OS) so it's a bit of a pain to get going.  In that respect, a good Linux or BSD distribution on a high spec server PC may be the better bet.

>Your help will be very important for me!!
>Thanks in advance
>
>NOTE: simultaneous-use work perfectly with some NAS,
>with ARUBA NAS don't do it, but I thing need some
>little changes in the checkrad.pl script.
>
>Alfonso Celestino
>DGSCA,UNAM
>
>
>__________________________________________________
>Correo Yahoo!
>Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
>Regístrate ya - http://correo.yahoo.com.mx/ 
>- 
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html
>

This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us. 






More information about the Freeradius-Users mailing list