Hi, > I'm using freeradius-1.1.2 on a freebsd server and i've compiled it > against openldap-2.3.24 which all went well. I'm attempting to set up > secure wireless with WPA2 using our ldap directory for authentication. > We have a replica of our directory running on the freeradius server. > Originally i had hoped to use some sort of > web-redirect-to-an-authentication-page system like you sometimes see in > hotels but i can't find anything about that (any information welcome).
"captive portal" - there are several software tools that will do this... eg http://en.wikipedia.org/wiki/Captive_portal most people seem to be moving away from this method as it is riddled with possible security compromises. > After reading around, the best form of authentication i can see would be > eap-ttls with pap as the inner protocol. I believe (from comments in the > radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now, > i've set it up in a way that appears to be mostly right and i *can* > authenticate with my username/password in ldap but doing a tcpdump on > the radius server worries me. I can see my username passed in the clear > in the packets so i'm concerned it's not using tls at all. I told the > wireless client to use ttls so i can't understand what's going on. PAP uses clear text (unencrypted) password authentication. whilst the EAP-TTLS traffic is encrypted (and the PAP lurks inside that encrypted session) when you CAN see the PAP in the clear is when its being sent over to LDAP - so you need to make sure that that communication is encrpyted...either by making sure its configured to use SSL for its communication channel...or simply 'stunnel'ing the traffic. > modules { > ldap { > server = "localhost" > filter = "(uid=%u)" > base_filter = "(objectclass=radiusprofile)" > start_tls = no ^^^^^^^^^^^^^^ this! > dictionary_mapping = ${raddbdir}/ldap.attrmap > } > } > > authorize { > eap > ldap > } > alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
