Re: Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
Hi I have implemented before Chillispot with freeradius as a captive protal aslo you may try CoovaChilli (http://coova.org/wiki/index.php/CoovaChilli) which is based on chillispot and it should work smoothly. From: Sergio Belkin seb...@gmail.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, December 15, 2008 3:54:20 AM Subject: Somewhat OT: Captive portal on acess points instead complex supplicant at level end user? Hi, Currently I'm using: *OpenWRT Kamikaze in AP's *Freeradius 2.1.2 *LDAP End users either use ttls or peap on their notebooks, as I have a LDAP server, each use his username and a password. Problem with this approach is that is somewhat complex for end users, they must either install a software or do a complicated configuration (think in end users terms, please). I'd want to have a open wireless network and that each user access to captive portal and enter his username and password, that captive portal redirects request to freeradius and freeradius in turn queries to ldap server. I'd want to know if CoovaAP (or something similar, what?) can perform such task as portal captive installed on APs. I'd be glad to read suggestions Thanks in advance!! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
2008/12/15 a.l.m.bu...@lboro.ac.uk: hi, why go backwards when you have the right wireless technology in place? you need to look at the windows client end of things. I'd suggest looking at automating the setup..the best thing would be to have another wireless SSID (eg 'setup for XYZ' - where XYZ is your current SSID) - and have that as an open wifi that can only (ONLY!) access one single IP on which lives a web server with auto setup tools - eg .NET or VBS for MS windows, XML for MAC and even a setup file for iPhone/iPod touch etc. (this would have to be a webredirect so as soon as they associate, any DNS or port 80/8080/3128 etc get sent to the index page.) - another web delivery option is to prepackage eg open1x (open1x.sf.net) or SecureW2 (another supplicant) and get them to use that as you did note, the problem is with the client setup.. thats the current difficulty with 802.1X. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for ideas, In fact, some things you suggest I am using right now :) for example: *Automatized SecureW2 installer (ttls) *Web Page with secondary password for peap But even so, some users find somewhat hard to use. I've tried with no success at this moment use more than one SSID on OpenWRT on Linksys WRT54GL... All in all, you and Paul have provided me interesting info... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex?supplicant at level end user?
Sergio Belkin seb...@gmail.com wrote: Thanks for ideas, In fact, some things you suggest I am using right now :) for example: *Automatized SecureW2 installer (ttls) *Web Page with secondary password for peap But even so, some users find somewhat hard to use. We seem to have no real problems with SecureW2 and our userbase. Mac OS X users 'import' the configuration (if they are 10.3 or 10.4) and WinXP users get a light time of it would my SecureW2 preconfiguration script with some NSIS wrapper action to spoonfeed them during problematic bits. Of course SecureW2 + WinXP + SP3 + wired 802.1X is fruity at the moment which is out current problem, however that's a grumble for another thread. The only problems we have is that we are 'awkward' and force WPA2 only and do not give into those WPA (version 1) TKIP weenies. I've tried with no success at this moment use more than one SSID on OpenWRT on Linksys WRT54GL... Do not ever go down this route[1]. It completely negates the point of having a WPA Enterprise network when someone comes along with an evil twin network and gets the user to install a 'springboard' application to get onto the better network. It's as counterproductive as using PEAP/TTLS without full certificate validation :-/ If you want my NSIS and/or SecureW2 INF file do drop me an email. The springboard'ing issue we resolved by dumping everything onto a CD and distributed them to the masses that way. Even if this is not an option for you (like us in education with 'student welcome packs') if you make the CD's readily available near hotspots and what not in public areas people will find what they need. Cheers Alex [1] I have convinced my self it's safe for a wired network, getting non-802.1X clients 802.1X'ified, but just not worth the risk for wireless clients -- Alexander Clouter .sigmonster says: Succumb to natural tendencies. Be hateful and boring. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex?supplicant at level end user?
2008/12/15 Alexander Clouter a...@digriz.org.uk: Sergio Belkin seb...@gmail.com wrote: Thanks for ideas, In fact, some things you suggest I am using right now :) for example: *Automatized SecureW2 installer (ttls) *Web Page with secondary password for peap But even so, some users find somewhat hard to use. We seem to have no real problems with SecureW2 and our userbase. Mac OS X users 'import' the configuration (if they are 10.3 or 10.4) and WinXP users get a light time of it would my SecureW2 preconfiguration script with some NSIS wrapper action to spoonfeed them during problematic bits. Of course SecureW2 + WinXP + SP3 + wired 802.1X is fruity at the moment which is out current problem, however that's a grumble for another thread. The only problems we have is that we are 'awkward' and force WPA2 only and do not give into those WPA (version 1) TKIP weenies. I've tried with no success at this moment use more than one SSID on OpenWRT on Linksys WRT54GL... Do not ever go down this route[1]. It completely negates the point of having a WPA Enterprise network when someone comes along with an evil twin network and gets the user to install a 'springboard' application to get onto the better network. It's as counterproductive as using PEAP/TTLS without full certificate validation :-/ If you want my NSIS and/or SecureW2 INF file do drop me an email. The springboard'ing issue we resolved by dumping everything onto a CD and distributed them to the masses that way. Even if this is not an option for you (like us in education with 'student welcome packs') if you make the CD's readily available near hotspots and what not in public areas people will find what they need. Cheers Alex [1] I have convinced my self it's safe for a wired network, getting non-802.1X clients 802.1X'ified, but just not worth the risk for wireless clients -- Alexander Clouter .sigmonster says: Succumb to natural tendencies. Be hateful and boring. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Recently we upgraded from OpenWrt White Russian to Kamikaze. By now, problem about discarding packets is no more. Most of the issues were that at random times took long time get Access-Accept or even AP din't get any frames from supplicants... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
This is exactly what Coova does. It blocks all access to the network, until a correct username/password combination is made. The downfall to such a system is 1. No encryption, and 2. Any somewhat-knowing script-kiddie can spoof a mac address and hijack someone's session. On Sun, Dec 14, 2008 at 5:54 PM, Sergio Belkin seb...@gmail.com wrote: Hi, Currently I'm using: *OpenWRT Kamikaze in AP's *Freeradius 2.1.2 *LDAP End users either use ttls or peap on their notebooks, as I have a LDAP server, each use his username and a password. Problem with this approach is that is somewhat complex for end users, they must either install a software or do a complicated configuration (think in end users terms, please). I'd want to have a open wireless network and that each user access to captive portal and enter his username and password, that captive portal redirects request to freeradius and freeradius in turn queries to ldap server. I'd want to know if CoovaAP (or something similar, what?) can perform such task as portal captive installed on APs. I'd be glad to read suggestions Thanks in advance!! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
hi, why go backwards when you have the right wireless technology in place? you need to look at the windows client end of things. I'd suggest looking at automating the setup..the best thing would be to have another wireless SSID (eg 'setup for XYZ' - where XYZ is your current SSID) - and have that as an open wifi that can only (ONLY!) access one single IP on which lives a web server with auto setup tools - eg .NET or VBS for MS windows, XML for MAC and even a setup file for iPhone/iPod touch etc. (this would have to be a webredirect so as soon as they associate, any DNS or port 80/8080/3128 etc get sent to the index page.) - another web delivery option is to prepackage eg open1x (open1x.sf.net) or SecureW2 (another supplicant) and get them to use that as you did note, the problem is with the client setup.. thats the current difficulty with 802.1X. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
