Wireless WPA2 enterprise Radius authentication
Maurice James
midnightsteel at msn.com
Fri Oct 29 03:28:09 CEST 2010
Working settings
I will be stating the changes from the default settings that I made to get
it to work. All file names are followed by a colon :
<<<<< = notes changes
****First you must have your ldap server store password in clear text. They
CANNOT be hashed in any way****
eap.conf:
default_eap_type = peap <<<<<
ldap.attrmap:
checkItem Cleartext-Password userPassword <<<<< (this
entire line was added to the top of the list)
inner-tunnel:
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap <<<<<(this must be uncommented)
ldap:
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "xxx.xxx.xxx" <<<<<(your ldap server)
identity = "uid=xxx,ou=xxx,ou=TopologyManagement,o=xxx" <<<<<(your
ldap admin user)
password = xxxxx <<<<<(your ldap admin password)
basedn = "dc=xxx,dc=xxx" <<<<<(your base dn)
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
mschap:
use_mppe = yes<<<<<(not sure if this is needed but I changed it from no to
yes)
with_ntdomain_hack = yes<<<<<(not sure if this is needed but I changed it
from no to yes)
default:
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap<<<<<(uncomment)
These are all of the setting that I changed to get Windows 7/Vista x64 >
WPA2 > freeradius > 389-DS(Fedora Directory Server) to work
-----Original Message-----
From: freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org
[mailto:freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org]
On Behalf Of Maurice James
Sent: Thursday, October 28, 2010 4:37 PM
To: 'FreeRadius users mailing list'
Subject: RE: Wireless WPA2 enterprise Radius authentication
OK gentlemen,
After many sleepless nights I finally got it working. I was almost
in tears (lol) but its done. Full authentication and authorization for a mix
of Windows7 x64/Vista x64 clients using WPA2 Enterprise, Freeradius,
389-DS(Fedora Directory Services). I will post the configs in a follow-up
email.
Special thanks to the following
John Dennis
Sven Hartge
Phil Mayers
Thanks guys
MCITP Enterprise + Server
GIAC Security Leadership Certification (GSLC)
-----Original Message-----
From: freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org
[mailto:freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org]
On Behalf Of John Dennis
Sent: Wednesday, October 27, 2010 8:54 PM
To: FreeRadius users mailing list
Subject: Re: Wireless WPA2 enterprise Radius authentication
On 10/27/2010 07:56 PM, Maurice James wrote:
> I will give it another try. I've been trying to the last hour to get
> the clear text password policy to stick to a user. Every time I run
> the radius debug I see hashed value passed from LDAP. I have to search
> online for the instructions on how to get 389-ds server to use clear
> text. Thanks for all the help and advice all. This is one of the most
> responsive lists that I have ever been a member of
389-ds has most all the features I mentioned. The Administrators Guide is
your friend.
389-ds doc can be found here:
http://directory.fedoraproject.org/wiki/Documentation#389_Documentation
The Administrators Guide can be found here:
http://www.redhat.com/docs/manuals/dir-server
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list