the newbie on radiustesting strikes again

Si St sigbj-st at operamail.com
Sun Apr 20 20:36:18 CEST 2008


> ----- Original Message -----
> From: "David Wood" <david at wood2.org.uk>
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Subject: Re: the newbie on radiustesting strikes again
> Date: Sun, 20 Apr 2008 01:00:42 +0100
> 
> 
> Hi,
> 
> Ivan has already given you much good advice. I wanted to add a few comments.
> 
> In message <20080419222236.5BED97B8F8 at ws5-10.us4.outblaze.com>, Si 
> St <sigbj-st at operamail.com> writes
> > The Router supports EAP/WPA-Enterprise(has a box for this choice;)
> > Automatic (WPA or WPA2), TKIP and AES
> 
> I would be very surprised if the RADIUS functionality on the router 
> supports anything other than the wireless access point. It sounds 
> like you have a consumer level unit - not an enterprise level 
> router/firewall here.

You are most probably 100% right
In a prevoius mail I told this router to be a DLINK DIR-635
ftp://ftp.dlink.se/Products/dir-products/dir-635/Documentation/DIR-635_manual_ww.pdf

> 
> If so, all you can do with RADIUS is to control access to your 
> wireless network - the Authentication and Authorisation of AAA. 
> Most consumer level units do not support Accounting - though some 
> do. If your router doesn't support accounting, there's no point 
> wasting any time setting up accounting in FreeRADIUS!

Which will practically mean access to the router only
And the router cannot handle Accounting that will mean giving user names and passwords

> 
> You will not have the RADIUS functionality of more expensive 
> enterprise level wireless access points, such as the ability to 
> return the VLAN to connect the user to from the RADIUS server. 
> There again, if this is a consumer unit, it probably has no VLAN 
> support anyway.

I find only a box for Virtual Server on the router and on Advanced Network only uPnP; not much to go for here.

> 
> 
> > There will probably for all practical purposes be only wireless 
> > clients:3 laptops and one workstation,but I have configured 2 IP 
> > addresses for each laptop, one for their wireless card the other 
> > address for the wired/cabled card in case they will be needed.
> > The access of the clients are controlled allowing only the 
> > specific MAC addresses of each machine to connect to the 
> > router.(Routers Netfilter) The machines have also fixed IPs 
> > reserved.
> 
> I very much doubt that your router can make any use of RADIUS for 
> handing out IP addresses, especially if the only mention of RADIUS 
> is in connection with the wireless features.
> 
> Handing out IP addresses via RADIUS is most commonly done with 
> NASes (dial in servers), VPN servers and CMTS (cable modem 
> termination systems).
> 
> DHCP is more typical for bridged scenarios such as wireless 
> networks. Your credentials get you connected to the wireless 
> network, at which point the computer gets an IP address and related 
> information (gateway address, DNS server(s), possibly WINS servers) 
> via DHCP.
> 
> 
> If you want better management of DHCP, one possibility is a DHCP 
> server that uses an LDAP backend. You could also use LDAP to store 
> user credentials for FreeRADIUS. However, with the size of your 
> network, the added complexity probably isn't worthwhile.

Right. But my intentions here were to see what I could achieve choosing the WPA-Enterprise option alternatively to the WPA-Personal (as the checkboxes on the router call it), and thereby maybe apply the FreeRadius. My question was: Is it really possible for me to do this networking different, and with EAP, and learn something from it? How complicated is this task, and is it possible to do it fairly simple gaining profit from a resultant more secure network? And thus grow in knowledge and experience?
So far I have learned a lot more through this mailinglist concerning my aims than I originally expected. They way my questions are answered forces me to think in the right rational way and professionally simpler.

> 
> 
> Start with the simplest possible setup and only add functionality 
> when you've got the basic stuff working. Keeping the configuration 
> in a revision control system helps, too, not least when upgrading 
> the server to a newer version. I use Subversion, but it is probably 
> best to use what you're most familiar with.
Excellent instruction for me, this.
> 
> 
> FreeRADIUS 2.0.3 will make your task much easier as it will build 
> the necessary certificates for EAP automatically. PEAP is pretty 
> easy to get going as there's no need to generate client 
> certificates.

Q: When one of the Win-laptops tries to connect the wireless network it happens it pops up a window asking for certificate. But not all the time. It seems as if there is a box with an entrance for a server certificate in the EAPconfig of that machine. One of the laptops -ASUS- has no entrance whatsoever for EAP extension. The others have. Strange.  Any quick comment here?

> 
> Whatever your eventual aims, start by getting your wireless users 
> on WPA2-Enterprise (or WPA2 / WPA mixed mode if you have any 
> clients that can't do WPA2) authenticating against FreeRADIUS with 
> PEAP. Use the users file for your users. Anything else should be 
> built on top of that.

Thanks. This is clearifying instruction.
> 
> 
> radiusd -X is your friend.
> 
> 
> 
> Best wishes,
> 
> 
> 
> 
> David
> -- David Wood
> david at wood2.org.uk
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

>


-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze




More information about the Freeradius-Users mailing list