Help needed with freeradius, solaris and trapeze

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Apr 29 11:10:11 CEST 2008 

Alan DeKok wrote:
> Guy Davies wrote:
>   
>> Erm... I'm using WPA2/AES that uses 802.1x to authenticate the user
>>     
Yes Alan is just being facetious;  WPA with a PSK is generally referred 
to as WPA-Personal, WPA with dynamic keying is generally referred to as 
WPA-Enterprise. Sometimes you see just WPA or WPA-PSK which most take to 
mean WPA-Personal.
>
>   Hmm... tI thought the "WPA enterprise" did that...  Too many
> standards, I guess.
>
>   
>> You need to tell us which EAP method you plan to use.  If you are
>> using local users, you can take your pick from EAP-TTLS/PAP or
>> PEAP/MS-CHAPv2.  If you use the former, you can have the passwords
>> encrypted in the users file.  If you use the latter, the passwords
>> must be in clear text.
>>
>>     
Unless your using PEAP offload in which case you just need to list the 
mschap module, and have the user password available in cleartext or as 
an nt / lm hash... but don't use PEAP offload. Terminate the EAP tunnel 
in FR, it generally works better and is far simpler.
>> I believe that the default radius.conf and eap.conf files will work
>> automatically for either option.
>>     
>
>   In 2.0, yes.
>
>   
>> Trapeze uses some VSAs to specify which VLAN a user should be
>> connected to, what time-of-day they can connect, etc. 
Hmm, no. Trapeze use the standard VLAN assignment attributes just like 
any other Vendor. You may be able to use the VSAs to do fancy stuff but :

Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = <VID>

Works just the same.

>>  Just look in
>> dictionary.trapeze and you'll see the options.  The Trapeze
>> documentation was always pretty good at explaining the purpose and
>> format of those VSAs.  You *MUST* include a VLAN-Name VSA when
>> responding to a Trapeze unit or it won't connect you to the correct
>> VLAN.
>>     
I have a MXR-2 sitting on my desk that says otherwise. You can set a 
default VLAN for each wireless service profile....
>   Ah, yes.  *That* vendor.
>
>   
I happen to quite like that vendor and wish people would stop spreading 
misinformation, especially if they haven't used the kit for a few years 
*hmpf*.

Arran

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list