Hi, > we have some new Edimax EW-7209APg, that support RADIUS Auth with EAP/MD5. > 1) How can I setup that system to make it as simple as possible for our > teachers. >
Using EAP is a good idea, but EAP-MD5 in particular is a bad one. Some recent supplicants won't allow you to use EAP-MD5 any more, since it doesn't support mutual authentication. The good thing is: the EAP type used is none of the Access Point's business. If it can do EAP-MD5, it can also do "sane" EAP types like TTLS or PEAP. > We don't need ssl or WAP or a splitted connection, where WLAN access is > yust granted to the intra but not internet or vis-versa. > You should be careful with such statements; if you have a few clever pupils in your school, you can almost bet they will go to some length to discover the teacher's password. Securing the credentials with SSL, and securing the traffic over-the-air with WPA or WPA2 is a good thing to consider. > I want to have my wired hosts and the wlan-hosts in one net (e.g. > 192.168.10.0), no VLAN. > As simple as possible, people with username/password can access the net > wireless, wired clients are always on the net. > EAP-PEAP and EAP-TTLS both support username/password operation. > 2) Is there a "best practice guide" for this kind of situation?? > Google for "configuring PEAP freeradius" should give you some good starting points. This has been done hundreds of times. If your school belongs to higher ed and you are connected to BELNET, consider joining eduroam ( http://www.eduroam.be/ , http://www.eduroam.org/ ). There are plenty of experts around who have done PEAP in eduroam. > 3) Do I have to install a captive-portal?? > A captive portal will make it easy for teacher's access credentials to be intercepted or phished. It will not secure the connection over-the-air. It requires your teachers to enter their credentials every time they want to (re-)connect. So, no, don't install a captive portal. Use WPAx+RADIUS. > 4) The EW-7209APg has a buildin RadiusServer, but I didn't manage to > connect a laptop wireless to it, how is this done. (with no auth it > works), but I don't understand what I have to do on the laptop to show me > some kind of window to enter username and password, or is this done as > some kind of dialup. > This mailing list is about FreeRADIUS. I'm sorry that your gear doesn't work as you expect, but please don't ask us questions about an unrelated product. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
