the newbie on radiustesting strikes again

David Wood david at wood2.org.uk
Sun Apr 20 21:29:36 CEST 2008


Hi there,

n message <20080420183618.69235CBE80 at ws5-11.us4.outblaze.com>, Si St 
<sigbj-st at operamail.com> writes
>> ----- Original Message -----
>> From: "David Wood" <david at wood2.org.uk>
>> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
>> Subject: Re: the newbie on radiustesting strikes again
>> Date: Sun, 20 Apr 2008 01:00:42 +0100
>>
>>
>> Hi,
>>
>> Ivan has already given you much good advice. I wanted to add a few comments.
>>
>> In message <20080419222236.5BED97B8F8 at ws5-10.us4.outblaze.com>, Si
>> St <sigbj-st at operamail.com> writes
>> > The Router supports EAP/WPA-Enterprise(has a box for this choice;)
>> > Automatic (WPA or WPA2), TKIP and AES
>>
>> I would be very surprised if the RADIUS functionality on the router
>> supports anything other than the wireless access point. It sounds
>> like you have a consumer level unit - not an enterprise level
>> router/firewall here.
>
>You are most probably 100% right
>In a prevoius mail I told this router to be a DLINK DIR-635
>ftp://ftp.dlink.se/Products/dir-products/dir-635/Documentation/DIR-635_m
>anual_ww.pdf

Thanks for that - a quick glance confirms it to be a consumer level unit 
and the RADIUS functionality is limited to the wireless access point, as 
I thought.


>> If so, all you can do with RADIUS is to control access to your
>> wireless network - the Authentication and Authorisation of AAA.
>> Most consumer level units do not support Accounting - though some
>> do. If your router doesn't support accounting, there's no point
>> wasting any time setting up accounting in FreeRADIUS!
>
>Which will practically mean access to the router only
>And the router cannot handle Accounting that will mean giving user 
>names and passwords

Correct - you can use user names and passwords with PEAP, or digital 
certificates with EAP-TLS, to access your wireless network rather than 
the single shared secret (PSK) of WPA-Personal.


>> You will not have the RADIUS functionality of more expensive
>> enterprise level wireless access points, such as the ability to
>> return the VLAN to connect the user to from the RADIUS server.
>> There again, if this is a consumer unit, it probably has no VLAN
>> support anyway.
>
>I find only a box for Virtual Server on the router and on Advanced 
>Network only uPnP; not much to go for here.

This is consumer gear - I would be very surprised to see any VLAN 
support. I doubt you have 802.1Q capable switches anyway (though L2 
managed 10/100 switches are inexpensive these days).

See http://en.wikipedia.org/wiki/VLAN for more on VLANs.


>> If you want better management of DHCP, one possibility is a DHCP
>> server that uses an LDAP backend. You could also use LDAP to store
>> user credentials for FreeRADIUS. However, with the size of your
>> network, the added complexity probably isn't worthwhile.

I should just note that Alan's announcement of the DHCP functionality in 
the CVS HEAD (and presumably 2.0.4 when it is released) will allow you 
to use FreeRADIUS to hand out IP addresses - though I suspect that the 
limitations on this experimental module at present will mean that you're 
better off sticking with your existing DHCP server.


>Right. But my intentions here were to see what I could achieve choosing 
>the WPA-Enterprise option alternatively to the WPA-Personal (as the 
>checkboxes on the router call it), and thereby maybe apply the 
>FreeRadius.

Of course - and that is a valuable aim in itself.

Bearing in mind that port 1812 is the only one mentioned (and not 1813), 
I suspect that your router doesn't support accounting. There's no 
support for handing out IP addresses via RADIUS attributes either.


>My question was: Is it really possible for me to do this networking 
>different, and with EAP, and learn something from it? How complicated 
>is this task, and is it possible to do it fairly simple gaining profit 
>from a resultant more secure network? And thus grow in knowledge and 
>experience?

What you're looking to do is entirely possible, and is worthwhile and 
valuable. It's where I started out with FreeRADIUS.


You can set up FreeRADIUS to authorise your wireless users by user name 
and password, using PEAP (if you want to give it its full name, 
PEAPv0/EAP-MSCHAPv2). This will give you a log of who accessed your 
wireless network and when, and you have better granularity in the access 
control (that is, you can change and revoke passwords for each user 
separately, rather than having a single shared secret).

WPA Enterprise is also stronger, because the PMK is generated from the 
EAP exchange and lasts the lifetime of the session, rather than being a 
cryptographic hash of the PSK (which lasts until you change the PSK).


If you wish, you can also experiment with EAP-TLS, and learn more about 
running your own PKI. This will teach you loads about digital 
certificates, certificate authorities and the like.


>So far I have learned a lot more through this mailinglist concerning my 
>aims than I originally expected. They way my questions are answered 
>forces me to think in the right rational way and professionally simpler.

It sounds worthwhile all round, then!


Best wishes,




David
-- 
David Wood
david at wood2.org.uk



More information about the Freeradius-Users mailing list