Re: a freeradious/wireless solution for a school
John Wan wrote: I have setup the chillispot+freeRadius+Win2k3AD for my wireless network. Everything is working but the AD authentication. Apparently the reason not working is because AD does not like the CHAP authentication and AD likes MS-CHAP. I do not know how to configure and where to configure my Linux box to use MS-CHAP instead of CHAP. See the Chillispot documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
Hi Michael, I have setup the chillispot+freeRadius+Win2k3AD for my wireless network. Everything is working but the AD authentication. Apparently the reason not working is because AD does not like the CHAP authentication and AD likes MS-CHAP. I do not know how to configure and where to configure my Linux box to use MS-CHAP instead of CHAP. Have you done this before? If you do would you please teach me how to rectify this problem. Please see the following output from $ Radius -X when a wireless client uses administrator logon into the chillispot web logon page: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0, length=223 User-Name = administrator CHAP-Challenge = 0xa784482e8ac92fd573e87bbbad9ca58f CHAP-Password = 0x00f54cc04e288eec67feff0b13e9448bd2 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.5 Calling-Station-Id = 00-16-6F-79-91-F4 Called-Station-Id = 00-05-5D-9E-0F-94 NAS-Identifier = nas01 Acct-Session-Id = 45aec9a9 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x97668bae73249b0dd4755ab03d364f34 WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = administrator, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by administrator with CHAP password rlm_chap: Could not find clear text password for user administrator modcall[authenticate]: module chap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0, length=223 Sending Access-Reject of id 0 to 127.0.0.1:32772 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 45aecedc Nothing to do. Sleeping until we see a request. Many thanks in advance. John Wan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] s.org] On Behalf Of gkalinec Sent: Friday, 26 January 2007 2:06 AM To: freeradius-users@lists.freeradius.org Subject: RE: a freeradious/wireless solution for a school The database is not a problem, since we have a huge one in place, one stored in Active Directory (for which I can use the freeradius LDAP module) or MySQL one. The database is really our main strength, since we have tons of information about every student, staff and parent in (its what my main job responsibility entails). A quick question, however, would this be just as eay to set up on a Macintosh? (since many of my supplicants will be macs..) German Kalinec King, Michael wrote: Without being too subtle, You've mis-understood much of the research you've read. Don't worry about it, there is quite a bit of contradictory information out there. There's quite a bit of background information, so it'll be a little bit before I mention FreeRADIUS. First. It's WPA, not WAP. (Different fields of technology) Forget much of what you've read. First, This is what you have been doing. Its called MAC filtering. The AP will only talk to MAC's that it has in it's table. In short, this is useless, since if I wanted to get on, I'd just fire up a packet sniffer. (They're free and easy to get. http://www.wireshark.org/ for example) Copy some poor souls MAC address, and I'm on. It's an administrative nightmare. You should not do this. A second form of this, is to load all the MAC addresses into a radius server, then the AP will interrogate Radius to find out if it's on it's allow list. This is as useless as the way your doing it now, because I can still easily copy your MAC address. You should not do this either. Second: You mention
Re: a freeradious/wireless solution for a school
is insecure and client support is often not as good as WPA. WPA2 Enterprise (or if you haven't got the necessary support WPA Enterprise) is where you should be looking; the necessary keys to enable it to work are generated by the RADIUS server and passed to the AP. In summary, I recommend setting up a PEAP setup using FreeRADIUS, and using that with WPA2 Enterprise on the APs, or WPA Enterprise if that's all they support. If that proves impractical, some kind of Chillispot or similar captive portal setup based around RADIUS is possible, but that won't encrypt the data on the wireless network, which should be one of your aims. Chillispot can be used with WPA, but I have no experience of doing this. MAC authentication, in my opinion, isn't worth bothering with - the security it provides is trivially broken, and management is a nightmare. If you need new APs, something like the 3Com 7760 or 8760 would be more suitable than the arguably consumer grade Netgear units you have, not least because you can accommodate legacy clients that can't be upgraded to a new secure wireless network whilst requiring all new clients to operate on WPA2 Enterprise using PEAP. David -- David Wood [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221.html#a8624324 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
The database is not a problem, since we have a huge one in place, one stored in Active Directory (for which I can use the freeradius LDAP module) or MySQL one. The database is really our main strength, since we have tons of information about every student, staff and parent in (its what my main job responsibility entails). A quick question, however, would this be just as eay to set up on a Macintosh? (since many of my supplicants will be macs..) German Kalinec King, Michael wrote: Without being too subtle, You've mis-understood much of the research you've read. Don't worry about it, there is quite a bit of contradictory information out there. There's quite a bit of background information, so it'll be a little bit before I mention FreeRADIUS. First. It's WPA, not WAP. (Different fields of technology) Forget much of what you've read. First, This is what you have been doing. Its called MAC filtering. The AP will only talk to MAC's that it has in it's table. In short, this is useless, since if I wanted to get on, I'd just fire up a packet sniffer. (They're free and easy to get. http://www.wireshark.org/ for example) Copy some poor souls MAC address, and I'm on. It's an administrative nightmare. You should not do this. A second form of this, is to load all the MAC addresses into a radius server, then the AP will interrogate Radius to find out if it's on it's allow list. This is as useless as the way your doing it now, because I can still easily copy your MAC address. You should not do this either. Second: You mention 802.1x with WEP. You do not enter WEP keys at all, the RADIUS server takes care of it. This is a standard way of doing wireless. However I'd highly recommend you DO NOT pursue this, as it's very insecure, and has been replaced by WPA. All the benefits of doing this apply to WPA. But you can do this if you want, but I'd suggest not to. Third Now we're on to WPA. This is what you should implement. WPA comes in two forms. WPA and WPA2 The primary difference is the WPA was designed as a interim protocol, with backward compatibility in mind. WPA2 was designed to be run on new hardware, and uses AES encryption. If you are setting a new network up, just use WPA2. Both WPA and WPA2 come in two forms. PSK and Enterprise PSK (or Pre-Shared Key) is what you mentioned. You load a secret key onto all your AP's, and then put the same key on all your users machines. It's designed for HOME Use. You do NOT want to use this form. Enterprise is what you WANT to use. You have all your usernames and passwords stored in a database. (Be it SQL, ActiveDirctory, LDAP, etc) This is where FreeRADIUS comes in. You configure all your AP's to use RADIUS, and give it the radius IP. You configure RADIUS to perform either TTLS and/or PEAP. (This is site specific, you need to decide your backend database to determine which one you can use) You configure your client to use TTLS or PEAP, and upon connecting to the network, they will be prompted to enter username and password. If they don't have one, they don't get on. If they do have one, they get on. Now we're at RADIUS. What type of user database do you have? Activedirectory? Novell? No having one is an acceptable answer as well. Post back, it's a lot of info, but we're here to help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221.html#a8626010 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Hi, responsibility entails). A quick question, however, would this be just as eay to set up on a Macintosh? (since many of my supplicants will be macs..) Macs are very friendly with wireless (well, if its OSX 10.3 and higher anyway). you can configure them to match the PC method - EAP-PEAP or go via EAP-TTLS with MSCHAPv2 internal tunnel etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
-Original Message- The database is not a problem, since we have a huge one in place, one stored in Active Directory (for which I can use the FreeRADIUS LDAP module) or MySQL one. If you use ActiveDirectory, I believe you would have an easier time using ntlm_auth. Using LDAP with ActiveDirectory requires some work. http://deployingradius.com/documents/configuration/active_directory.html MySQL should be trivial for you to implement. For why LDAP with ActiveDirectory doesn't work, see http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
So then it seems to me that my best solution would then be to implement either an EAP-PEAP or EAP-TTLS solution authenticating against either my mysql or my active directory (I've been reading the ntlm authentication through samba, and it's not something hard to set up). This way I can have server-side certificates only and have the users login with their usernames and passwords. What would, in your opinion, be better? TTLS or PEAP? Also, if I had a laptop for school-only use (say, for example, a laptop that we provide for the users), in this case the wireless connection would ned to be establish without user input (for example, have he machine connected already so that the user can log into the machine through windows). Could I then still use either of these methods (and generate a client cert to log in), or should I implement a different solution? Thanks, German Kalinec A.L.M.Buxey wrote: Hi, responsibility entails). A quick question, however, would this be just as eay to set up on a Macintosh? (since many of my supplicants will be macs..) Macs are very friendly with wireless (well, if its OSX 10.3 and higher anyway). you can configure them to match the PC method - EAP-PEAP or go via EAP-TTLS with MSCHAPv2 internal tunnel etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221.html#a8637986 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Quoting gkalinec [EMAIL PROTECTED]: What would, in your opinion, be better? TTLS or PEAP? I believe with TTLS you would need to load software on each computer, can someone else verify that? I am using PEAP and it works with Windows, Macs and linux(using wpa_supplicant or xsupplicant). Also, if I had a laptop for school-only use (say, for example, a laptop that we provide for the users), in this case the wireless connection would ned to be establish without user input (for example, have he machine connected already so that the user can log into the machine through windows). When using PEAP when your user logs in for the first time and validates their identity and accepts your cert, they never have to repeat the process, unless they get a new machine. When they come back into contact with your hotspot their computer will automagically log them back in. Could I then still use either of these methods (and generate a client cert to log in), or should I implement a different solution? If you are using PEAP or TTLS you don't need a client cert, you can have one but it is not needed. Trying to get a client cert to every user could be a real pain, it might be easier if you use AD to push it to each system, I don't use AD, so I can't say for sure. Hope that helps, Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Hi, So then it seems to me that my best solution would then be to implement either an EAP-PEAP or EAP-TTLS solution authenticating against either my PEAP or TTLS? no reason why you cannot have both. FreeRADIUS is quite happy doing both at same time... especially if you use MSCHAPv2 as the inner auth for the TTLS. its the same ntlm_auth line then too. and passwords. What would, in your opinion, be better? TTLS or PEAP? its down to philosophy more than anything - until the proof that PEAP can be broken with a simple tool ;-) - some implementations of PEAP are known to be 'leaky' - they leak some of the challenge/response. that said. if you want anonymity, TTLS is the only way - can use an anoymous auto identity. with most PEAP, you inner username is thrown to the outer identity by default. Also, if I had a laptop for school-only use (say, for example, a laptop that we provide for the users), in this case the wireless connection would ned to be establish without user input (for example, have he machine connected already so that the user can log into the machine through windows). Could I if you use the AD, you can configure it to use machine authentication...in this case the machine ID is in the AD and the system logs in before the user - now you can have active, non-cached user logins too. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
-Original Message- What would, in your opinion, be better? TTLS or PEAP? They're not Mutually exclusive. You can have both. I'd suggest doing both. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Hi, Please elaborate on how the system can be circumvented? FakeAP spring to mind instantly. as does any of the other man-in-middle attacks. a quick google will bring up many methods of doing such attacks. basically, I set up an a software AP with same SSID. I have same login page - even the same signed certificate if you've been so good as to buy a commercial one - and take the users credentials when they login. I then pull down by AP and use the credentials to login. Trivial stuff. if you use WEP I can do a similar thing to get the 3rd party to send me enough WEP traffic (failures of course) to get the key using the modern crackers. 5 minutes of fun...and then use that WEP for my gateway. (same isnt true - yet - for WPA-PSK - but like WEP those passphrases need to be disemminated. All this falls in the same 'security' bucket (or bin) as MAC authentication, hiding the SSID etc. but since most public sites use these systems its goota be okay. yes? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Hi, * Apache * Freeradius * Chillispot * Mysql though note that captive portals are easy to mitigate/spoof and circumvent alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Hi, Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it. you could always, for example, supply them with a securew2 install package which would have the certificate already included. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
I have attached the doc to this post, I have tested this setup tens of times and will work if followed correctly. If you have any further queries please email me. Tas. Agent Smith wrote: I am interested. Please post the doc. Thakns, --- Tas Dionisakos [EMAIL PROTECTED] wrote: Im in a similar environment, after months of research I have come to the following solution. * Apache * Freeradius * Chillispot * Mysql I have a howto that will help you built a system like this in about half an hour, email me if you want the doc. Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc. The only maintenance is creating the account. Tas. Peter Nixon wrote: http://wiki.freeradius.org/EAP -Peter On Tue 23 Jan 2007 00:06, German Kalinec wrote: Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it. German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school Hi, Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it. There are other options like EAP-PEAP, LEAP etc Check out for the types of EAP and you will find out. Cheers. tml -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- * Tas Dionisakos IT Manager St Mary’s College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: [EMAIL PROTECTED] C: (0o ()() o0) * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- * Tas Dionisakos IT Manager St Mary’s College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: [EMAIL PROTECTED] C: (0o ()() o0) * chillispot-howto.odt Description: application/vnd.oasis.opendocument.text - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Please elaborate on how the system can be circumvented? Tas. [EMAIL PROTECTED] wrote: Hi, * Apache * Freeradius * Chillispot * Mysql though note that captive portals are easy to mitigate/spoof and circumvent alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- * Tas Dionisakos IT Manager St Mary’s College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: [EMAIL PROTECTED] C: (0o ()() o0) * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
(I'll bite to save Alan the déjà vu) An attacker sets up a captive portal system that looks exactly the same as yours (spoof). Users can't distinguish between the two captive portals, and so some users inevitably enter their credentials into the spoof portal. These credentials can be used by the attacker to gain network access through the authorised portal, or whatever else they're authorised for. josh. -Original Message- From: [EMAIL PROTECTED] us.org [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of Tas Dionisakos Sent: 23 January 2007 21:55 To: FreeRadius users mailing list Subject: Re: a freeradious/wireless solution for a school Please elaborate on how the system can be circumvented? Tas. [EMAIL PROTECTED] wrote: Hi, * Apache * Freeradius * Chillispot * Mysql though note that captive portals are easy to mitigate/spoof and circumvent alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- * Tas Dionisakos IT Manager St Mary's College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: [EMAIL PROTECTED] C: (0o ()() o0) * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a freeradious/wireless solution for a school
Hello, I work for a mid-size private school (about 700-800 people on campus), and I'm trying to set up a way to limit the use of our wireless to our students/staff. The main problem that I'm encountering is finding a solution that will fit our needs. A little background first... When I first started (about a year ago, and I'm still the only IT person managing the whole school network) we had crappy wireless at different places on campus for students and staff to access our network. The person who set these up (my current boss) simply did a MAC access control list on each AP and made the students and staff come to him to register their computers. This was a major pain since each of our APs (7 of them) had to have the new MAC address manually added to each AP every time we had a new laptop. The problem with this solution (aside from having to enter the MACs 7 times) was that we eventually run out of room in the MAC table. After some negotiating we got new wireless, but still not top of the line (I wanted CISCOs, we got Netgear WPN802s instead), and I found that we still run out space in the table (it now help 50, we now have about 100+ laptops being used by students). I know that the solution is to implement a radius authentication with the APs that we have. The APs support radius servers using either WAP or legacy 802.1X (with WEP keys). I did tons of research on WAP (being the preferred method), but I could not get around the fact that certificates MUST be installed in the client computer in order for the protocol to work. This is simply impossible since most of our students (and staff for that matter) are unable to install certificates (or unwilling) and having to install certificates manualy myself is just too time consuming. So my first questions is what methods would you suggest for this kind of set up? My original idea was to implement the legacy 802.1x option. i managed to set up the AP correctly and the radius server to authenticate based on MAC addresses, but I could not find a way to get the WEP key back to the client laptop. I'm not even sure it is possible, really, and I'm hesitant to try to have our students and staff enter a WEP key into their laptops themselves (since when they fail they will come for me to set it up, and if I wanted to change the WEP key, I would have to re-change it on every laptop). Is tehre any way for the radius server to send back the WEP key to the client? I know it must seem horribly insecure (and it is), but I have to show my boss a solution that is better than simply leaving our network open. Can some one help or suggest a better way of resolving this? -- View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221.html#a8437548 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Hi, Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it. There are other options like EAP-PEAP, LEAP etc Check out for the types of EAP and you will find out. Cheers. tml -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
On 1/18/07, gkalinec [EMAIL PROTECTED] wrote: places on campus for students and staff to access our network. The person who set these up (my current boss) simply did a MAC access control list on each AP and made the students and staff come to him to register their computers. This was a major pain since each of our APs (7 of them) had to have the new MAC address manually added to each AP every time we had a new laptop. The problem with this solution (aside from having to enter the MACs 7 times) was that we eventually run out of room in the MAC table. After For the first wireless deployment at the .edu where I work, we used a similar solution except that we used FreeRADIUS with a MySQL backend for registering MAC addresses. Since MAC authentication isn't secure at all, we ended up also requiring a VPN connection in order to get out. Like you, I've recently gotten new equipment and am actually trying to simplify things. We're doing away with the MAC authentication and VPN connection and will simply be using ChilliSpot for controlling access to our wireless networks. ChilliSpot uses FreeRADIUS for authentication (and FreeRADIUS is verifying credentials against our enterprise LDAP directory) with accounting information being stored in MySQL. Don't bother trying to use WEP in an academic environment. The point of a WEP key is to keep it a secret. It's no longer a secret if you must give it out to everyone. We implemented the VPN connection to force a secure connection, but we're doing away with that. HTH, -j -- Jeremy L. Gaddis, MCP, GCWN http://www.linuxwiz.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
Without being too subtle, You've mis-understood much of the research you've read. Don't worry about it, there is quite a bit of contradictory information out there. There's quite a bit of background information, so it'll be a little bit before I mention FreeRADIUS. First. It's WPA, not WAP. (Different fields of technology) Forget much of what you've read. First, This is what you have been doing. Its called MAC filtering. The AP will only talk to MAC's that it has in it's table. In short, this is useless, since if I wanted to get on, I'd just fire up a packet sniffer. (They're free and easy to get. http://www.wireshark.org/ for example) Copy some poor souls MAC address, and I'm on. It's an administrative nightmare. You should not do this. A second form of this, is to load all the MAC addresses into a radius server, then the AP will interrogate Radius to find out if it's on it's allow list. This is as useless as the way your doing it now, because I can still easily copy your MAC address. You should not do this either. Second: You mention 802.1x with WEP. You do not enter WEP keys at all, the RADIUS server takes care of it. This is a standard way of doing wireless. However I'd highly recommend you DO NOT pursue this, as it's very insecure, and has been replaced by WPA. All the benefits of doing this apply to WPA. But you can do this if you want, but I'd suggest not to. Third Now we're on to WPA. This is what you should implement. WPA comes in two forms. WPA and WPA2 The primary difference is the WPA was designed as a interim protocol, with backward compatibility in mind. WPA2 was designed to be run on new hardware, and uses AES encryption. If you are setting a new network up, just use WPA2. Both WPA and WPA2 come in two forms. PSK and Enterprise PSK (or Pre-Shared Key) is what you mentioned. You load a secret key onto all your AP's, and then put the same key on all your users machines. It's designed for HOME Use. You do NOT want to use this form. Enterprise is what you WANT to use. You have all your usernames and passwords stored in a database. (Be it SQL, ActiveDirctory, LDAP, etc) This is where FreeRADIUS comes in. You configure all your AP's to use RADIUS, and give it the radius IP. You configure RADIUS to perform either TTLS and/or PEAP. (This is site specific, you need to decide your backend database to determine which one you can use) You configure your client to use TTLS or PEAP, and upon connecting to the network, they will be prompted to enter username and password. If they don't have one, they don't get on. If they do have one, they get on. Now we're at RADIUS. What type of user database do you have? Activedirectory? Novell? No having one is an acceptable answer as well. Post back, it's a lot of info, but we're here to help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
Quoting King, Michael [EMAIL PROTECTED]: You configure your client to use TTLS or PEAP, and upon connecting to the network, they will be prompted to enter username and password. If they don't have one, they don't get on. If they do have one, they get on. This also solves your problem of having to give out a cert to each client as both of these only require a server side cert. You could then purchase a certificate from a trusted CA and that would already be in their browsers list of Trusted CA's. Here are a couple of howto's the first is for a Linux supplicant and the second is for using a Windows supplicant. What's a supplicant? The client. http://tldp.org/HOWTO/html_single/8021X-HOWTO/ http://text.dslreports.com/forum/remark,9286052~mode=flat Hope that helps, Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
http://wiki.freeradius.org/EAP -Peter On Tue 23 Jan 2007 00:06, German Kalinec wrote: Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it. German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school Hi, Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it. There are other options like EAP-PEAP, LEAP etc Check out for the types of EAP and you will find out. Cheers. tml -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpjTYZTi93wH.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Im in a similar environment, after months of research I have come to the following solution. * Apache * Freeradius * Chillispot * Mysql I have a howto that will help you built a system like this in about half an hour, email me if you want the doc. Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc. The only maintenance is creating the account. Tas. Peter Nixon wrote: http://wiki.freeradius.org/EAP -Peter On Tue 23 Jan 2007 00:06, German Kalinec wrote: Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it. German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school Hi, Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it. There are other options like EAP-PEAP, LEAP etc Check out for the types of EAP and you will find out. Cheers. tml -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- * Tas Dionisakos IT Manager St Mary’s College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: [EMAIL PROTECTED] C: (0o ()() o0) * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
I am interested. Please post the doc. Thakns, --- Tas Dionisakos [EMAIL PROTECTED] wrote: Im in a similar environment, after months of research I have come to the following solution. * Apache * Freeradius * Chillispot * Mysql I have a howto that will help you built a system like this in about half an hour, email me if you want the doc. Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc. The only maintenance is creating the account. Tas. Peter Nixon wrote: http://wiki.freeradius.org/EAP -Peter On Tue 23 Jan 2007 00:06, German Kalinec wrote: Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it. German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school Hi, Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it. There are other options like EAP-PEAP, LEAP etc Check out for the types of EAP and you will find out. Cheers. tml -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- * Tas Dionisakos IT Manager St Marys College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: [EMAIL PROTECTED] C: (0o ()() o0) * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a freeradious/wireless solution for a school
Hi German, You've already had much wisdom; I'm going to try a comprehensive reply to the whole problem. In message [EMAIL PROTECTED], gkalinec [EMAIL PROTECTED] writes I work for a mid-size private school (about 700-800 people on campus), and I'm trying to set up a way to limit the use of our wireless to our students/staff. The main problem that I'm encountering is finding a solution that will fit our needs. Yours is hardly the biggest wireless deployment; there are solutions that exist for this. A little background first... When I first started (about a year ago, and I'm still the only IT person managing the whole school network) we had crappy wireless at different places on campus for students and staff to access our network. The person who set these up (my current boss) simply did a MAC access control list on each AP and made the students and staff come to him to register their computers. This was a major pain since each of our APs (7 of them) had to have the new MAC address manually added to each AP every time we had a new laptop. The problem with this solution (aside from having to enter the MACs 7 times) was that we eventually run out of room in the MAC table. MAC authentication is trivially broken. Most wireless cards can work with a spoofed MAC address, and MAC addresses are trivially sniffed from the air. As you've also found out, maintainability of MAC tables is an issue. Some APs (including the 3Com 8760 - more about that in a minute) support MAC authentication against a RADIUS server, but it's usually not worth the effort, as it provides little if any extra security on top of WPA. In fact, the 3Com 8760 doesn't support MAC authentication against a RADIUS server when using 802.1x. You could configure the RADIUS server to verify the MAC address when dealing with EAP, but this adds so little to security it isn't worth the hassle and the maintenance effort in my opinion. After some negotiating we got new wireless, but still not top of the line (I wanted CISCOs, we got Netgear WPN802s instead), and I found that we still run out space in the table (it now help 50, we now have about 100+ laptops being used by students). It doesn't have to be Cisco to be decent; there are some reasonable enough enterprise APs from other vendors. The latest AP I bought was a 3Com 8760, which is a dual band (802.11a and 802.11b/g) AP, capable of WPA and WPA2 with four virtual access points per band (each with a different SSID, encryption and authentication settings, and optionally a different VLAN as well). It supports 802.1q tagged VLAN operation, RADIUS authentication and accounting, and you can return which VLAN to connect a user to in the Access-Accept packet from your RADIUS server. The 8760 is a Power over Ethernet device, and is supplied with simple Power over Ethernet injector. The only drawbacks I've found are that the web interface doesn't work perfectly in Firefox (it's documented as IE only in the current firmware release), RADIUS accounting has to be set at the CLI (again, documented as a limitation in the current firmware) and the PoE injector isn't fully 802.3af compliant, in that it doesn't employ any resistive sensing and is permanently live instead (which means you have to be careful what you connect it to - I inadvertently blew up a cheap network tester by connecting it to the other end of one of these). It's not just the RADIUS accounting that you need to set up in the CLI - in fact, there's a few useful bits and pieces not supported in the web interface. Things like WPA2 pre-authentication are most easily configured in the CLI. Fortunately the user guide has full documentation of all the CLI commands. There is a single band version of the 8760, the 7760 (capable of 802.11a or 802.11b/g, but not both at once unlike the 8760). I had a quick look at the manual of the Netgear WPN802v1, and it's a device that I'd class only as a consumer grade AP - in fact, it falls well short of what most consumer grade APs can achieve. Despite the documentation of EAP and WPA2 in the appendix to the manual, it doesn't appear from the specification to support anything higher than WPA-PSK, which is useless in this context. Handing out a passphrase to 100+ users just isn't on. You hint later that the Netgear APs have WPA Enterprise support - that's WPA with RADIUS rather than a Pre Shared Key. If not, you're going to need new APs - indeed, you may find the that existing APs really aren't up to the job even if they do have WPA Enterprise support. The 'sales' pitch is that you will be securing your wireless network properly. I'd go for a proper enterprise AP this time, and you could certainly evaluate the 3Com units I've mentioned. Just to indicate how an enterprise grade AP needn't cost a fortune, current pricing in the UK is around GBP75 for the Netgear WPN802, whilst the 3Com 7760 can be had for GBP110 and the 3Com 8760 for
Re: a freeradious/wireless solution for a school
Dear Tas, I am interesting, can you please send the doc to me ? Thank you. Tas Dionisakos wrote: Im in a similar environment, after months of research I have come to the following solution. * Apache * Freeradius * Chillispot * Mysql I have a howto that will help you built a system like this in about half an hour, email me if you want the doc. Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc. The only maintenance is creating the account. Tas. Peter Nixon wrote: http://wiki.freeradius.org/EAP -Peter On Tue 23 Jan 2007 00:06, German Kalinec wrote: Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it. German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school Hi, Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it. There are other options like EAP-PEAP, LEAP etc Check out for the types of EAP and you will find out. Cheers. tml -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Kalpin Erlangga Silaen Digital Circuits made from Analog parts. --- Menara Rajawali 12th Floor Jl. Mega Kuningan Lot#5.1 Kawasan Mega Kuningan Jakarta 12950 Telp : (021) 576-3490 (021) 576-1234 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
I too interested and appreciate if you post the doc in the forum Thanks and regards Naveen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Agent Smith Sent: Tuesday, January 23, 2007 11:45 AM To: FreeRadius users mailing list Subject: Re: a freeradious/wireless solution for a school I am interested. Please post the doc. Thakns, --- Tas Dionisakos [EMAIL PROTECTED] wrote: Im in a similar environment, after months of research I have come to the following solution. * Apache * Freeradius * Chillispot * Mysql I have a howto that will help you built a system like this in about half an hour, email me if you want the doc. Chillispot provides a captive portal which makes a user authenticate (over ssl), then you have the power to apply restrictions like bandwidth throttling, session time limit, etc. The only maintenance is creating the account. Tas. Peter Nixon wrote: http://wiki.freeradius.org/EAP -Peter On Tue 23 Jan 2007 00:06, German Kalinec wrote: Therein lies the problem. My potential users are a lot of my students. The idea of having to install certificates in 200+ laptops is not really feasible. And showing them how to install is an exercise in futility, since most of our students are not computer savvy enough to do it. German Kalinec Systems Manager New Roads School 3131 Olympic Blvd. Santa Monica, CA 90404 (310) 828-5582 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Nazeer Khan Sent: Monday, January 22, 2007 1:44 PM To: FreeRadius users mailing list Cc: freeradius-users@lists.freeradius.org Subject: Re: a freeradious/wireless solution for a school Hi, Use EAP-TLS, the most secure one. It will automatically give encryption key to the clients. U have to do onething, install the client certificates in the beginning in each client machine that will use your wireless and thats it. There are other options like EAP-PEAP, LEAP etc Check out for the types of EAP and you will find out. Cheers. tml -- This email and any attachments may be confidential. They may contain legally privileged information or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages. We do not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. This notice should not be removed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- * Tas Dionisakos IT Manager St Mary's College and Newman College The University of Melbourne T: 03 9342 1708 M: 0439 655 565 E: [EMAIL PROTECTED] C: (0o ()() o0) * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
