Re: Setting FreeRadius and Ldap. - Getting Educated Now
Ivan, Thanks for the url link to the missing documentation. Very helpful. Ldap is not going to work for EAP. Now I am facing a dilemma - deciding what WEP protocol to use based on my test setup. After reading the 'sites' and 'modules' files it seems that some WEP or EAP protocols are weaker than others, some not suggested for use. Here's what my test router and machines can handle. Router can provide - WEP 40/128 shared key, WEP Personal, WEP Enterprise Chiper: TKIP or AES Workstation:WEP 40/128 shared key, Leap, Dynamic WEP, WPA WPA2 Personal Enterprise Older Laptop: WEP 40/128 shared key, 802.1 Cisco LEAP or EAP FAST --this may be the limiting machine. I need to rely on list users experience for suggested paths to pursue? Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Now I am facing a dilemma - deciding what WEP protocol to use based on my test setup. After reading the 'sites' and 'modules' files it seems that some WEP or EAP protocols are weaker than others, some not suggested for use. Here's what my test router and machines can handle. Router can provide - WEP 40/128 shared key, WEP Personal, WEP Enterprise Chiper: TKIP or AES Workstation:WEP 40/128 shared key, Leap, Dynamic WEP, WPA WPA2 Personal Enterprise Older Laptop: WEP 40/128 shared key, 802.1 Cisco LEAP or EAP FAST --this may be the limiting machine. Use WPA2 Enterprise (PEAP) on the workstation and LEAP for older laptop. Server should support both in default configuration. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Hi, Now I am facing a dilemma - deciding what WEP protocol to use based on my test setup. After reading the 'sites' and 'modules' files it seems that some WEP or EAP protocols are weaker than others, some not suggested for use. dont use WEP. ever. Router can provide - WEP 40/128 shared key, WEP Personal, WEP Enterprise Chiper: TKIP or AES surely you mean WPA personal and WPA enterprise (TKIP or AES)? I would say WPA enterprise with AES. its the bext you can get currently on your kit Older Laptop: WEP 40/128 shared key, 802.1 Cisco LEAP or EAP FAST --this may be the limiting machine. the limiting factor here is most likely the software on the system - use a different tool to control the wireless authentication alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - User settings
Ivan, Based on your advice I need to set myself up as a user and start testing from my workstation. Since it seems I am missing the docs supplied in source (used packaged file) can you give me some guidance on minimum setting. 1. RADIUS server Shared Secret Where is the best place to set my RADIUS server Shared Secret? or can I use a default Shared Secret in Free Radius? 2. Users I will be using WPA Enterprise on my workstation and not sure of the following settings on in the 'users. DHCP is used for wireless users. If needed I could reserve an test address and place it here? Not sure if that's needed or practical. Here's what I gleaned from the users file I assume: steven Cleartext-Password := xx Service-Type = what is used here for local wireless network ??? Anything else? Thanks Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Thanks Alan, WPA Enterprise with AES, I will do some more reading to understand the benefits of AES. As for the older laptop - I choose this unit because if represents the oldest of technologies that will be accessing the network. This IBM Thinkpad uses a Cisco (Calexico) internal wireless card using current Windows XP (SP3) card drivers (from IBM / Lenovo). So unless there is a better solution for controlling this wireless card I am stuck with dealing with its offerings: WEP, Cisco Leap and EAP FAST. Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/08/2009 16:50, Steven Sprague wrote: Thanks Alan, WPA Enterprise with AES, I will do some more reading to understand the benefits of AES. TKIP is semi-broken, in that you can do ARP poisoning attacks without needing the PMK. Were mandating WPA2-AES for this academic year. - -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqX/rcACgkQcaklux5oVKKx8gCgiovBkbrreyYeujZJtKqQFW5w UPoAoJHW3K0eFB/BTeoMIRppdzzQHjVM =d5FR -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting FreeRadius and Ldap.
Hello All My needs are simple. Use an exiting LDAP server to communicate with FreeRadius. After reading a number of sources (including the FAQ) I am a bit confused as to what is required? I will start out simple with WPA using LEAP - since all my client boxes can use it. Questions: Do I need any special schema for ldap to use this plan? Y/N If YES, where can I find example? If NO, what other settings need to be set on the client, ldap and FreeRadius server for testing. I need a simple systematic step by step would be great. _:) Sorry, my only book - LDAP by O'Reilly is a bit dated and incomplete. My test setup is one access point (D-LInk DIR-655), two RHEL servers and one workstation client for testing. Server 1 - DNS FreeRadius Server 2 - LDAP,Postfix,Dovecot,Apache,Squid. ** They are on the same network. I appreciate any advice to get me moving the right direction. Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap.
Questions: Do I need any special schema for ldap to use this plan? Y/N No. If NO, what other settings need to be set on the client, ldap and FreeRadius server for testing. Configure ldap module (raddb/modules/ldap, instructions in doc/rlm_ldap) and uncomment ldap in authorize section of default virtual server (raddb/sites-enabled/default). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap.
tnt, Made the changes you suggested but could not locate the doc/rlm_ldap. Do you have any simple tests for the settings I changed? Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap.
tnt, I loaded FreeRadius in terminal using -X to see what is loading. Here's what comes back - you will notice one complaint below - in the rlm_ldap section: rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the authenticate section. [r...@ns1 ~]# radiusd -X FreeRADIUS Version 2.1.6, for host i386-redhat-linux-gnu, built on Jun 2 2009 at 17:33:54 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/expiration[r...@ns1 ~]# radiusd -X FreeRADIUS Version 2.1.6, for host i386-redhat-linux-gnu, built on Jun 2 2009 at 17:33:54 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory