the newbie on radiustesting strikes again

David Wood david at wood2.org.uk
Sun Apr 20 02:00:42 CEST 2008 

Hi,

Ivan has already given you much good advice. I wanted to add a few 
comments.

In message <20080419222236.5BED97B8F8 at ws5-10.us4.outblaze.com>, Si St 
<sigbj-st at operamail.com> writes
>The Router supports EAP/WPA-Enterprise(has a box for this choice;)
>Automatic (WPA or WPA2), TKIP and AES

I would be very surprised if the RADIUS functionality on the router 
supports anything other than the wireless access point. It sounds like 
you have a consumer level unit - not an enterprise level router/firewall 
here.

If so, all you can do with RADIUS is to control access to your wireless 
network - the Authentication and Authorisation of AAA. Most consumer 
level units do not support Accounting - though some do. If your router 
doesn't support accounting, there's no point wasting any time setting up 
accounting in FreeRADIUS!

You will not have the RADIUS functionality of more expensive enterprise 
level wireless access points, such as the ability to return the VLAN to 
connect the user to from the RADIUS server. There again, if this is a 
consumer unit, it probably has no VLAN support anyway.


>There will probably for all practical purposes be only wireless 
>clients:3 laptops and one workstation,but I have configured 2 IP 
>addresses for each laptop, one for their wireless card the other 
>address for the wired/cabled card in case they will be needed.
>The access of the clients are controlled allowing only the specific MAC 
>addresses of each machine to connect to the router.(Routers Netfilter) 
>The machines have also fixed IPs reserved.

I very much doubt that your router can make any use of RADIUS for 
handing out IP addresses, especially if the only mention of RADIUS is in 
connection with the wireless features.

Handing out IP addresses via RADIUS is most commonly done with NASes 
(dial in servers), VPN servers and CMTS (cable modem termination 
systems).

DHCP is more typical for bridged scenarios such as wireless networks. 
Your credentials get you connected to the wireless network, at which 
point the computer gets an IP address and related information (gateway 
address, DNS server(s), possibly WINS servers) via DHCP.


If you want better management of DHCP, one possibility is a DHCP server 
that uses an LDAP backend. You could also use LDAP to store user 
credentials for FreeRADIUS. However, with the size of your network, the 
added complexity probably isn't worthwhile.


Start with the simplest possible setup and only add functionality when 
you've got the basic stuff working. Keeping the configuration in a 
revision control system helps, too, not least when upgrading the server 
to a newer version. I use Subversion, but it is probably best to use 
what you're most familiar with.


FreeRADIUS 2.0.3 will make your task much easier as it will build the 
necessary certificates for EAP automatically. PEAP is pretty easy to get 
going as there's no need to generate client certificates.

Whatever your eventual aims, start by getting your wireless users on 
WPA2-Enterprise (or WPA2 / WPA mixed mode if you have any clients that 
can't do WPA2) authenticating against FreeRADIUS with PEAP. Use the 
users file for your users. Anything else should be built on top of that.


radiusd -X is your friend.



Best wishes,




David
-- 
David Wood
david at wood2.org.uk

More information about the Freeradius-Users mailing list