ldap/krb5 auth and access point Authentication methods ?

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Sat Oct 11 15:55:29 CEST 2008


Hi,

> I'd like to use freeradius to auth. our users. I read that freeradius
> can use openldap and kerberos, so i suppose I will setup these for auth.

- or just use one of them - decide which one to use and ensure
clients are configured correctly

> Most of my Wi-Fi users will be Windows/Mac Os and I'd like to avoid
> custom installation on the laptops.

in that case, PEAP with MSCHAPv2 - windows only does EAP-TLS and PEAP
without additional software (new supplicant or additional supplicant
plugin). you'll also want your RADIUS server cert to be signed
by a main cert authority. I prefer to use a self-signed (because its
then a closed loop system and a LOT harder for someone to pretend
to be your RADIUS) - but if you do it this way yu'd have to get the
self CA onto the systems trusted cert reg - and thats client
config work - which you seem to want to avoid.

> Which auth method should I use on the access points ?

err, none. you configure them to have a network with an SSID
of whatever, serving out a network which is WPA enterprise
(all the usual crypto stuff) with a RADIUS server of x.y.z.a
(and maybe a second and third one for backup). the client
supplicant and the RADIUS server deal with the auth method.
the AP gets a simple 'let this user one' message at the end
of the day.

alan



More information about the Freeradius-Users mailing list