need help & advice getting started with freeradius

daniel knox mail at dknox.co.uk
Sun Apr 5 22:35:18 CEST 2009


Okie, I've spent some of this weekend looking into this and some of the
files included in freeradius (havnt had a chance to play around testing it
though).
 Am I right in guessing once i've configured the ldap group membership
filter, i include the unlang statement:

if (Ldap-Group == whatever) {
    reject
}
As Ivan suggested in my radiusd.conf file in the authorise part?

 Second up im still juggerling between what EAP type to use. It seems more
an more PEAP is going to introduce a level of complexity which I would like
to avoid. Whats the views of this list on what extension will be most
suitable in this case. As i mentioned previously I would like to keep admin
work down as much as possible in terms of certificates due to currently many
of our users have to constantly come to ICT for help configuring their
wireless. Hence the ideal of them just needing to use their username and
password to firstly make it considerably easier for a user to get onto the
wireless and to secondly increase the security of our wireless network. Also
is the use of a different EAP type going to cause difficulty in terms of
client compatability. Aka is a user with his poor windows laptop going to
have to install something extra just to communicate with the wireless, or
should it just be as simple as user sees wireless network, chooses it, it
prompts for username and password and off he goes. Do I have to use a EAP
type or can i get away with not having one / is this very ill advised?
 Basically if you were in my position how would you go about it, is probally
what I'm asking for lols. I admit wireless security is something I have not
gone very deep into before.

 Many thanks again.

On Sun, Apr 5, 2009 at 8:45 PM, Alexander Clouter <alex at digriz.org.uk>wrote:

> tnt at kalik.net wrote:
> >
> >>In my scenario I would like to use PEAP if possible but not require the
> user
> >>client to have a certificate, just the radius-server (which is why i
> believe
> >>the TTLS solution will  be in-efficient here as i would have to deal with
> >>handy out client certificates to hundreds of users). And to be asked
> thern
> >>their username and password to authticate onto our wireless. Would
> combining
> >>these two guides work to get these two intial sets up and running?
> >>
> >
> TTLS is *not* an admin hassle, TLS is (client side certificates).  TTLS
> means you put a verifiable server certificate on the *server* end that
> the client can verify and know who it is talking to, then you can safely
> even send the password in plain text.
>
> > PEAP will require passwords stored as clear text or nt hash. If your
> > passwords are stored as something else they will have to be changed.
> >
> ...or...you use EAP-TTLS and get the client to send the passwords in
> plaintext and then do an LDAP bind() to check if the credentials are
> correct.
>
> Once you are doing this you can one day get around to (if you want to)
> putting in plaintext passwords into your LDAP database that FreeRADIUS
> can use and abuse.
>
> > As for combining freeradius and ldap prehaps you should read
> > freeradius documentation first (wiki or doc/rlm_ldap from the
> > download) and then see is there any need to bother wiyh third party
> > stuff.
> >
> Well PEAP without AD means you have to jump through a lot of hoops
> manually configuring each client by hand.  With something like SecureW2
> you include a 'seeding' file and it will do all the hard manual priming.
>
> This is all overlooking that PEAP is horrible as if you want to play
> with OTP's or other fun custom things, good luck doing that with PEAP.
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: Marriage causes dating problems.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090405/7dcde797/attachment.html>


More information about the Freeradius-Users mailing list