Hi Tim, Patrick wrote: > My understanding is that RADIUS is a protocol for services that > provide authentication for one or more different network access > mechanisms. So, on its own, RADIUS is not really a solution at all, > just part of a solution.
Yes, I think there's three parties. The laptop, the access point, and the RADIUS server software. RADIUS could be running on the access point's hardware, but doesn't have to be. The AP is configured to defer to RADIUS on whether the laptop is allowed. This can be using a username/password, or a certificate generated earlier by RADIUS solely for the laptop and then copied onto it. So RADIUS knows how to Authenticate. It then Authorises, and that's where logic can come into it, e.g. only from 9-5 weekdays. It's up to the AP to implement the restrictions using what RADIUS tells it. I don't know the level of understanding between the AP and RADIUS, e.g. RADIUS might keep updating the AP with new Authorisations over time. After that, RADIUS can keep track of Accounting, again with the AP's involvement as it's the AP that sees the traffic, not RADIUS. That allows buying 60 minutes of Wi-fi, etc. > > Yes, that's a possibility, as the Draytek has multiple SSIDs with > > scheduling. But fairly quickly the unscheduled SSID passwords will > > be compromised. > > If the compromise is by means of extracting credentials from other > devices, then I suppose the same risk could apply to a solution using > RADIUS. Yes, though ISTM some systems prevent easy copying of the certificate, e.g. Android. https://www.ed.ac.uk/information-services/computing/desktop-personal/wifi-networking/configure-device/eduroam-android -- Cheers, Ralph. -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk