Basic usage: What do I do next to get this to work?
doc.caliban at gmail.com
Wed Oct 31 13:04:44 CET 2007
Alan DeKok wrote:
> Doc. Caliban wrote:
>> All of our public workstations are on this interface so the machines are
>> verified at the proxy.
> So... how does it do that?
IPCop, the network router, is the NAS in this case.
It has 3 interfaces, the WAN, LAN, and WiFi Access. (Known in IPCop as
Red, Green, and Blue.) A fourth interface (Orange) can be added as a
DMZ, but I don't need that at this time.
The Blue interface requires a MAC address for each node allowed to
connect. Typically you'd just put the AP's MAC in there and let the AP
act as the DHCP server. In reality you can add the MAC for any device
you want, which is how the public machines are verified: The only way
they can connect in the first place is that I've added their MAC
addresses to the access list.
IPCop can also require user authentication across both the Green and
Blue interfaces (It's all or nothing in that regard) via a local ACL,
identd, LDAP, Windows authentication, or RADIUS. My user database
already exists in MySQL for other reasons, so using RADIUS to tap into
that is the easiest solution. For various reasons, I also do not want
to add about 80% of the users to the windows AD.
The plus side of this is that anyone using a public machine will have to
be a valid user. The downside is that the few people who are on the LAN
(Green) interface will also have to deal with RADIUS even though they
are already validated in the Windows domain. It had been suggested to
add their MAC's to the user database in MySQL and arrange it so that
they are allowed to skip the RADIUS process, but dealing with that is
well out of my skill set.
In January we will receive a bunch of Cisco AP's to replace the rather
motley collection that we are using now. At that point I will look at
handing the NAS functions to them, but for now it will happen at the router.
From the feedback, it sounds like I'm heading in the right direction
with PEAP / MS-CHAP-V2, which is what my test laptop came up with
automatically. I will also be sure to incorporate the suggestions
regarding the proper configuration of the clients in implementing this.
This has been a great resource! Thanks to everyone who has responded,
and to whoever set up and maintains the mailing list.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users