a freeradious/wireless solution for a school

gkalinec gkalinec at newroads.org
Thu Jan 25 16:05:48 CET 2007

The database is not a problem, since we have a huge one in place, one stored
in Active Directory (for which I can use the freeradius LDAP module) or
MySQL one. The database is really our main strength, since we have tons of
information about every student, staff and parent in (its what my main job
responsibility entails).  A quick question, however, would this be just as
eay to set up on a Macintosh? (since many of my supplicants will be macs..)

German Kalinec

King, Michael wrote:
> Without being too subtle, You've mis-understood much of the research
> you've read.  Don't worry about it, there is quite a bit of
> contradictory information out there.
> There's quite a bit of background information, so it'll be a little bit
> before I mention FreeRADIUS.
> First.  It's WPA, not WAP.   (Different fields of technology)
> Forget much of what you've read.
> First, This is what you have been doing.
> Its called MAC filtering.  The AP will only talk to MAC's that it has in
> it's table.
> In short, this is useless, since if I wanted to get on, I'd just fire up
> a packet sniffer. 
> (They're free and easy to get.  http://www.wireshark.org/ for example)
> Copy some poor souls MAC address, and I'm on.  It's an administrative
> nightmare. 
> You should not do this.   A second form of this, is to load all the MAC
> addresses into a radius server, then the AP will interrogate Radius to
> find out if it's on it's allow list.  This is as useless as the way your
> doing it now, because I can still easily copy your MAC address.  You
> should not do this either.
> Second:
> You mention 802.1x with WEP.  You do not enter WEP keys at all, the
> RADIUS server takes care of it.  This is a standard way of doing
> wireless.  However I'd highly recommend you DO NOT pursue this, as it's
> very insecure, and has been replaced by WPA.  All the benefits of doing
> this apply to WPA.  But you can do this if you want, but I'd suggest not
> to.  
> Third
> Now we're on to WPA.  This is what you should implement.
> WPA comes in two forms.  WPA and WPA2
> The primary difference is the WPA was designed as a interim protocol,
> with backward compatibility in mind.  
> WPA2 was designed to be run on new hardware, and uses AES encryption. If
> you are setting a new network up, just use WPA2.
> Both WPA and WPA2 come in two forms.  PSK and Enterprise
> PSK (or Pre-Shared Key) is what you mentioned.  You load a secret key
> onto all your AP's, and then put the same key on all your users
> machines. It's designed for HOME Use.  You do NOT want to use this form.
> Enterprise is what you WANT to use.  You have all your usernames and
> passwords stored in a database.  (Be it SQL, ActiveDirctory, LDAP, etc)
> This is where FreeRADIUS comes in.  You configure all your AP's to use
> RADIUS, and give it the radius IP.
> You configure RADIUS to perform either TTLS and/or PEAP.  (This is site
> specific, you need to decide your backend database to determine which
> one you can use)
> You configure your client to use TTLS or PEAP, and upon connecting to
> the network, they will be prompted to enter username and password.  If
> they don't have one, they don't get on.  If they do have one, they get
> on.
> Now we're at RADIUS.  What type of user database do you have?
> Activedirectory?   Novell?  No having one is an acceptable answer as
> well.
> Post back, it's a lot of info, but we're here to help.
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221.html#a8626010
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list