a freeradious/wireless solution for a school
King, Michael
MKing at bridgew.edu
Mon Jan 22 23:40:05 CET 2007
Without being too subtle, You've mis-understood much of the research
you've read. Don't worry about it, there is quite a bit of
contradictory information out there.
There's quite a bit of background information, so it'll be a little bit
before I mention FreeRADIUS.
First. It's WPA, not WAP. (Different fields of technology)
Forget much of what you've read.
First, This is what you have been doing.
Its called MAC filtering. The AP will only talk to MAC's that it has in
it's table.
In short, this is useless, since if I wanted to get on, I'd just fire up
a packet sniffer.
(They're free and easy to get. http://www.wireshark.org/ for example)
Copy some poor souls MAC address, and I'm on. It's an administrative
nightmare.
You should not do this. A second form of this, is to load all the MAC
addresses into a radius server, then the AP will interrogate Radius to
find out if it's on it's allow list. This is as useless as the way your
doing it now, because I can still easily copy your MAC address. You
should not do this either.
Second:
You mention 802.1x with WEP. You do not enter WEP keys at all, the
RADIUS server takes care of it. This is a standard way of doing
wireless. However I'd highly recommend you DO NOT pursue this, as it's
very insecure, and has been replaced by WPA. All the benefits of doing
this apply to WPA. But you can do this if you want, but I'd suggest not
to.
Third
Now we're on to WPA. This is what you should implement.
WPA comes in two forms. WPA and WPA2
The primary difference is the WPA was designed as a interim protocol,
with backward compatibility in mind.
WPA2 was designed to be run on new hardware, and uses AES encryption. If
you are setting a new network up, just use WPA2.
Both WPA and WPA2 come in two forms. PSK and Enterprise
PSK (or Pre-Shared Key) is what you mentioned. You load a secret key
onto all your AP's, and then put the same key on all your users
machines. It's designed for HOME Use. You do NOT want to use this form.
Enterprise is what you WANT to use. You have all your usernames and
passwords stored in a database. (Be it SQL, ActiveDirctory, LDAP, etc)
This is where FreeRADIUS comes in. You configure all your AP's to use
RADIUS, and give it the radius IP.
You configure RADIUS to perform either TTLS and/or PEAP. (This is site
specific, you need to decide your backend database to determine which
one you can use)
You configure your client to use TTLS or PEAP, and upon connecting to
the network, they will be prompted to enter username and password. If
they don't have one, they don't get on. If they do have one, they get
on.
Now we're at RADIUS. What type of user database do you have?
Activedirectory? Novell? No having one is an acceptable answer as
well.
Post back, it's a lot of info, but we're here to help.
More information about the Freeradius-Users
mailing list