Wireless WPA2 enterprise Radius authentication

Maurice James midnightsteel at msn.com
Fri Oct 29 03:28:09 CEST 2010


Working settings
I will be stating the changes from the default settings that I made to get
it to work. All file names are followed by a colon :


<<<<< = notes changes



****First you must have your ldap server store password in clear text. They
CANNOT be hashed in any way****
eap.conf:
default_eap_type = peap  <<<<<


ldap.attrmap:
checkItem	Cleartext-Password		userPassword   <<<<< (this
entire line was added to the top of the list)



inner-tunnel:
#  The ldap module will set Auth-Type to LDAP if it has not
#  already been set
ldap <<<<<(this must be uncommented)


ldap:
ldap {
	#
	#  Note that this needs to match the name in the LDAP
	#  server certificate, if you're using ldaps.
	server = "xxx.xxx.xxx" <<<<<(your ldap server)
	identity = "uid=xxx,ou=xxx,ou=TopologyManagement,o=xxx" <<<<<(your
ldap admin user)
	password = xxxxx <<<<<(your ldap admin password)
	basedn = "dc=xxx,dc=xxx" <<<<<(your base dn)
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"





mschap:
use_mppe = yes<<<<<(not sure if this is needed but I changed it from no to
yes)
with_ntdomain_hack = yes<<<<<(not sure if this is needed but I changed it
from no to yes)



default:
#  The ldap module will set Auth-Type to LDAP if it has not
#  already been set
ldap<<<<<(uncomment)



These are all of the setting that I changed to get Windows 7/Vista x64 >
WPA2 > freeradius > 389-DS(Fedora Directory Server) to work



















-----Original Message-----
From: freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org
[mailto:freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org]
On Behalf Of Maurice James
Sent: Thursday, October 28, 2010 4:37 PM
To: 'FreeRadius users mailing list'
Subject: RE: Wireless WPA2 enterprise Radius authentication

OK gentlemen,
          After many sleepless nights I finally got it working. I was almost
in tears (lol) but its done. Full authentication and authorization for a mix
of Windows7 x64/Vista x64 clients using WPA2 Enterprise, Freeradius,
389-DS(Fedora Directory Services). I will post the configs in a follow-up
email.

Special thanks to the following
John Dennis
Sven Hartge
Phil Mayers

Thanks guys



MCITP Enterprise + Server
 GIAC Security Leadership Certification (GSLC)




-----Original Message-----
From: freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org
[mailto:freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org]
On Behalf Of John Dennis
Sent: Wednesday, October 27, 2010 8:54 PM
To: FreeRadius users mailing list
Subject: Re: Wireless WPA2 enterprise Radius authentication

On 10/27/2010 07:56 PM, Maurice James wrote:
> I will give it another try. I've been trying to the last hour to get 
> the clear text password policy to stick to a user. Every time I run 
> the radius debug I see hashed value passed from LDAP. I have to search 
> online for the instructions on how to get 389-ds server to use clear 
> text. Thanks for all the help and advice all. This is one of the most 
> responsive lists that I have ever been a member of

389-ds has most all the features I mentioned. The Administrators Guide is
your friend.

389-ds doc can be found here:

http://directory.fedoraproject.org/wiki/Documentation#389_Documentation

The Administrators Guide can be found here:

http://www.redhat.com/docs/manuals/dir-server

--
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list