free radius setup

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Sep 11 00:54:08 CEST 2013 

On 10 Sep 2013, at 23:35, "Swenson, Chris" <cswenson at curry.edu> wrote:

> Yes, I already saw that and this is why I am stuck.
> I am using Aruba 3000 Wireless controllers running the 6.2.X.X code.
> As I understand it when the laptop user selects the secure SSID they should be prompted for a username and password.
> This username and password will be presented to radius as peap MS-CHAPV2.
> Radius then needs to authenticate this against my Openldap where the passwords are encrypted as SHA,  thus bad end.
> I could not find an encryption type in open ldap that would satisfy the chart.  

On the registration page you use to 'activate' users accounts for the service, you get them to login. Once their password is verified against OpenLDAP you do an LDAP modify and store the plaintext version.  This is exactly what we did at University of Sussex when we rolled out the service six years ago.

We opted to store NT-Password hashes.  These are not really any more secure than cleartext, but at least you don't accidentally see the user's output in any directory dumps or debug output.

The alternative is getting your users to install something like SecureW2 (which I believe requires a license now), and using EAP-TTLS-PAP which submits the users password in plaintext, or I believe more recent flavours of Windows support EAP-TTLS too.

> If it did work then I could take the info from radius accounting and pass it to our NAC control (Impulse Safe Connect) which will let 
> the students onto the network after they pass some computer hygiene checks.

Sure or you can use the result of Phil's excellent work on SoH, and do the hygiene checks at the same time as authentication (if you do go with PEAP).

> I have a population of 2000 college students who have little idea of what security really is.

Well that's a fairly small user base.  You should be able to handle that load on any fairly recent desktop machine. Hell you might even be able to do it on a Rasberry Pi provided they don't re-auth too often.

> And of course I am trying to do this on the typical budget provided by a non-profit such as my college is.

The majority of Universities in the UK and many smaller colleges implement Eduroam which require 802.1X authentication.  It's not terribly expensive seeing as all the software is free...

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list