a freeradious/wireless solution for a school
gkalinec
gkalinec at newroads.org
Thu Jan 25 15:56:54 CET 2007
Hi,m
Thank you for the informative reply. It'll take a couple of days to gigest
all of it (me being so new to this and all :) ), but I think I can take a
look at the PEAP solution.
As far as the the APs, believe me, this is a fight I've already lost. Being
a school, we have next to nothing in the IT budget (it took me a year to
convince them that yes, we do need managed switches), and even getting money
for infrastructure is a hassle.
Thank you,
German Kalinec
David Wood-6 wrote:
>
> Hi German,
>
> You've already had much wisdom; I'm going to try a comprehensive reply
> to the whole problem.
>
> In message <8437548.post at talk.nabble.com>, gkalinec
> <gkalinec at newroads.org> writes
>>I work for a mid-size private school (about 700-800 people on campus), and
>>I'm trying to set up a way to limit the use of our wireless to our
>>students/staff. The main problem that I'm encountering is finding a
>>solution that will fit our needs.
>
> Yours is hardly the biggest wireless deployment; there are solutions
> that exist for this.
>
>
>> A little background first...
>>When I first started (about a year ago, and I'm still the only IT person
>>managing the whole school network) we had crappy wireless at different
>>places on campus for students and staff to access our network. The person
>>who set these up (my current boss) simply did a MAC access control list on
>>each AP and made the students and staff come to him to register their
>>computers. This was a major pain since each of our APs (7 of them) had to
>>have the new MAC address manually added to each AP every time we had a new
>>laptop. The problem with this solution (aside from having to enter the
MACs
>>7 times) was that we eventually run out of room in the MAC table.
>
> MAC authentication is trivially broken. Most wireless cards can work
> with a spoofed MAC address, and MAC addresses are trivially sniffed from
> the air.
>
> As you've also found out, maintainability of MAC tables is an issue.
> Some APs (including the 3Com 8760 - more about that in a minute) support
> MAC authentication against a RADIUS server, but it's usually not worth
> the effort, as it provides little if any extra security on top of WPA.
>
> In fact, the 3Com 8760 doesn't support MAC authentication against a
> RADIUS server when using 802.1x. You could configure the RADIUS server
> to verify the MAC address when dealing with EAP, but this adds so little
> to security it isn't worth the hassle and the maintenance effort in my
> opinion.
>
>
>>After
>>some negotiating we got new wireless, but still not top of the line (I
>>wanted CISCOs, we got Netgear WPN802s instead), and I found that we still
>>run out space in the table (it now help 50, we now have about 100+ laptops
>>being used by students).
>
> It doesn't have to be Cisco to be decent; there are some reasonable
> enough enterprise APs from other vendors.
>
>
> The latest AP I bought was a 3Com 8760, which is a dual band (802.11a
> and 802.11b/g) AP, capable of WPA and WPA2 with four virtual access
> points per band (each with a different SSID, encryption and
> authentication settings, and optionally a different VLAN as well). It
> supports 802.1q tagged VLAN operation, RADIUS authentication and
> accounting, and you can return which VLAN to connect a user to in the
> Access-Accept packet from your RADIUS server. The 8760 is a Power over
> Ethernet device, and is supplied with simple Power over Ethernet
> injector.
>
> The only drawbacks I've found are that the web interface doesn't work
> perfectly in Firefox (it's documented as IE only in the current firmware
> release), RADIUS accounting has to be set at the CLI (again, documented
> as a limitation in the current firmware) and the PoE injector isn't
> fully 802.3af compliant, in that it doesn't employ any resistive sensing
> and is permanently live instead (which means you have to be careful what
> you connect it to - I inadvertently blew up a cheap network tester by
> connecting it to the other end of one of these).
>
> It's not just the RADIUS accounting that you need to set up in the CLI -
> in fact, there's a few useful bits and pieces not supported in the web
> interface. Things like WPA2 pre-authentication are most easily
> configured in the CLI. Fortunately the user guide has full documentation
> of all the CLI commands.
>
>
> There is a single band version of the 8760, the 7760 (capable of 802.11a
> or 802.11b/g, but not both at once unlike the 8760).
>
>
>
> I had a quick look at the manual of the Netgear WPN802v1, and it's a
> device that I'd class only as a consumer grade AP - in fact, it falls
> well short of what most consumer grade APs can achieve. Despite the
> documentation of EAP and WPA2 in the appendix to the manual, it doesn't
> appear from the specification to support anything higher than WPA-PSK,
> which is useless in this context. Handing out a passphrase to 100+ users
> just isn't on.
>
>
> You hint later that the Netgear APs have WPA Enterprise support - that's
> WPA with RADIUS rather than a Pre Shared Key. If not, you're going to
> need new APs - indeed, you may find the that existing APs really aren't
> up to the job even if they do have WPA Enterprise support. The 'sales'
> pitch is that you will be securing your wireless network properly. I'd
> go for a proper enterprise AP this time, and you could certainly
> evaluate the 3Com units I've mentioned.
>
> Just to indicate how an enterprise grade AP needn't cost a fortune,
> current pricing in the UK is around GBP75 for the Netgear WPN802, whilst
> the 3Com 7760 can be had for GBP110 and the 3Com 8760 for GBP175. Power
> over Ethernet makes installation much easier. Overall, the price of
> decent network infrastructure is coming down; a decent 24 port 10/100
> plus 2 port 10/100/1000 L2 managed switch such as a HP Procurve 2510-24
> is around GBP200 now.
>
>
> If everything has WPA2 support, deploy WPA2, but you may have some
> clients that only support WPA AES, in which case WPA2-Mixed mode may
> come to the rescue. If you have some clients that only support WPA TKIP,
> you'll probably have to use WPA Enterprise TKIP.
>
> It's in this sort of scenario that the virtual APs of the 3Com units are
> useful - you can use WPA2 when possible, whilst accommodating kit that
> can't manage WPA2 as well, optionally on a separate VLAN that maybe
> doesn't have access to more secure internal services.
>
> Indeed, you can use the 3Com APs to provide simultaneous wireless
> hotspot service via a captive portal setup (such as Chillispot) and
> RADIUS authenticated access to the internal network for authorised users
> - again, it's the virtual AP feature that comes in so useful.
>
>
>>I know that the solution is to implement a radius
>>authentication with the APs that we have. The APs support radius servers
>>using either WAP or legacy 802.1X (with WEP keys). I did tons of research
>>on WAP (being the preferred method), but I could not get around the fact
>>that certificates MUST be installed in the client computer in order for
the
>>protocol to work. This is simply impossible since most of our students
(and
>>staff for that matter) are unable to install certificates (or unwilling)
and
>>having to install certificates manualy myself is just too time consuming.
>
> You mean WPA, not WEP.
>
>
>>So my first questions is what methods would you suggest for this kind of
set
>>up?
>
> Many wireless supplicants, such as the Microsoft one built into Windows
> XP, only support EAP-TLS and "PEAP" (technically PEAPv0/EAP-MSCHAPv2).
> There are other forms of EAP, such as EAP-TTLS, but without broad
> supplicant support, they're no use to you.
>
> EAP-TLS requires client side certificates. I use it - but for you it's
> out of the question. You need a robust infrastructure to issue client
> certificates and the support burden is heavy, too.
>
>
> You should therefore look at PEAP - the only certificate required in
> that case is one for the RADIUS server, with the clients using user
> names and passwords.
>
> As others have said, if you have an authentication database already, you
> may be able to leverage that for PEAP in FreeRADIUS (using SQL, LDAP,
> Active Directory or Kerberos as appropriate). It depends on the password
> format, mainly.
>
>
> You may be able to get away with creating your own CA (or using an
> existing CA under your control) when creating the server certificate,
> but that may require you to install root certificates on at least some
> machines. There's no harm testing with a certificate issued on your own
> CA - if it causes problems, get a certificate for the RADIUS server from
> a CA whose root certificate is in all the operating systems in question.
> Make sure the certificate signing request has the appropriate
> extensions, however!
>
>
> Using PEAP may give you problems with Windows XP machines that aren't
> upgraded to SP2 (and you may additionally need the KB885453 hotfix). You
> can probably get away with setting the cipher_list in eap.conf to HIGH
> for added security; certainly that works with all my wireless clients,
> though it does depend which ciphers your wireless supplicants support.
>
>
>>My original idea was to implement the legacy 802.1x option. i managed to
>>set up the AP correctly and the radius server to authenticate based on MAC
>>addresses, but I could not find a way to get the WEP key back to the
client
>>laptop. I'm not even sure it is possible, really, and I'm hesitant to try
>>to have our students and staff enter a WEP key into their laptops
themselves
>>(since when they fail they will come for me to set it up, and if I wanted
to
>>change the WEP key, I would have to re-change it on every laptop). Is
tehre
>>any way for the radius server to send back the WEP key to the client? I
>>know it must seem horribly insecure (and it is), but I have to show my
boss
>>a solution that is better than simply leaving our network open.
>>Can some one help or suggest a better way of resolving this?
>
> I'd forget all about WEP with 802.1x; it's not well standardised, it's
> insecure because WEP is insecure and client support is often not as good
> as WPA. WPA2 Enterprise (or if you haven't got the necessary support WPA
> Enterprise) is where you should be looking; the necessary keys to enable
> it to work are generated by the RADIUS server and passed to the AP.
>
>
>
> In summary, I recommend setting up a PEAP setup using FreeRADIUS, and
> using that with WPA2 Enterprise on the APs, or WPA Enterprise if that's
> all they support.
>
> If that proves impractical, some kind of Chillispot or similar captive
> portal setup based around RADIUS is possible, but that won't encrypt the
> data on the wireless network, which should be one of your aims.
> Chillispot can be used with WPA, but I have no experience of doing this.
>
> MAC authentication, in my opinion, isn't worth bothering with - the
> security it provides is trivially broken, and management is a nightmare.
>
>
> If you need new APs, something like the 3Com 7760 or 8760 would be more
> suitable than the arguably consumer grade Netgear units you have, not
> least because you can accommodate legacy clients that can't be upgraded
> to a new secure wireless network whilst requiring all new clients to
> operate on WPA2 Enterprise using PEAP.
>
>
>
>
> David
> --
> David Wood
> david at wood2.org.uk
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221.html#a8624324
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list