Lol just actually read some stuff on WPA and learnt abit more about EAP. I realise now that TTLS does not require client certificates like I previously thought only the server. Apologies for this miss understanding. Although I do realise now that SecureW2 would be required to give my Windows users the ability to access this. Although this may not be to difficult to distribute to them I would have to look into these possible issues.
On Sun, Apr 5, 2009 at 9:35 PM, daniel knox <[email protected]> wrote: > Okie, I've spent some of this weekend looking into this and some of the > files included in freeradius (havnt had a chance to play around testing it > though). > Am I right in guessing once i've configured the ldap group membership > filter, i include the unlang statement: > > if (Ldap-Group == whatever) { > reject > } > As Ivan suggested in my radiusd.conf file in the authorise part? > > Second up im still juggerling between what EAP type to use. It seems more > an more PEAP is going to introduce a level of complexity which I would like > to avoid. Whats the views of this list on what extension will be most > suitable in this case. As i mentioned previously I would like to keep admin > work down as much as possible in terms of certificates due to currently many > of our users have to constantly come to ICT for help configuring their > wireless. Hence the ideal of them just needing to use their username and > password to firstly make it considerably easier for a user to get onto the > wireless and to secondly increase the security of our wireless network. Also > is the use of a different EAP type going to cause difficulty in terms of > client compatability. Aka is a user with his poor windows laptop going to > have to install something extra just to communicate with the wireless, or > should it just be as simple as user sees wireless network, chooses it, it > prompts for username and password and off he goes. Do I have to use a EAP > type or can i get away with not having one / is this very ill advised? > Basically if you were in my position how would you go about it, is > probally what I'm asking for lols. I admit wireless security is something I > have not gone very deep into before. > > Many thanks again. > > On Sun, Apr 5, 2009 at 8:45 PM, Alexander Clouter <[email protected]>wrote: > >> [email protected] wrote: >> > >> >>In my scenario I would like to use PEAP if possible but not require the >> user >> >>client to have a certificate, just the radius-server (which is why i >> believe >> >>the TTLS solution will be in-efficient here as i would have to deal >> with >> >>handy out client certificates to hundreds of users). And to be asked >> thern >> >>their username and password to authticate onto our wireless. Would >> combining >> >>these two guides work to get these two intial sets up and running? >> >> >> > >> TTLS is *not* an admin hassle, TLS is (client side certificates). TTLS >> means you put a verifiable server certificate on the *server* end that >> the client can verify and know who it is talking to, then you can safely >> even send the password in plain text. >> >> > PEAP will require passwords stored as clear text or nt hash. If your >> > passwords are stored as something else they will have to be changed. >> > >> ...or...you use EAP-TTLS and get the client to send the passwords in >> plaintext and then do an LDAP bind() to check if the credentials are >> correct. >> >> Once you are doing this you can one day get around to (if you want to) >> putting in plaintext passwords into your LDAP database that FreeRADIUS >> can use and abuse. >> >> > As for combining freeradius and ldap prehaps you should read >> > freeradius documentation first (wiki or doc/rlm_ldap from the >> > download) and then see is there any need to bother wiyh third party >> > stuff. >> > >> Well PEAP without AD means you have to jump through a lot of hoops >> manually configuring each client by hand. With something like SecureW2 >> you include a 'seeding' file and it will do all the hard manual priming. >> >> This is all overlooking that PEAP is horrible as if you want to play >> with OTP's or other fun custom things, good luck doing that with PEAP. >> >> Cheers >> >> -- >> Alexander Clouter >> .sigmonster says: Marriage causes dating problems. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
