Purpose : To have a RADIUS (freeradius) server authentication for entry into a wireless lan.

1) Any special requirement needed for the AP?

2) How should the network layout look like with the RADIUS server?

3) In short, a jumpstart guide on how to implement a radius server in a wireless lan

Thanks !

1. The AP must support an external RADIUS server. Depending on the client O/S and the authentication method, you may need additional features (dynamic WEP keys if using EAP-TLS with XP, for example).

2. A whitepaper with a functional diagram: http://www.mtghouse.com/MDC_8021X_White_Paper.pdf

3. http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
http://www.dslreports.com/forum/rema...6052~mode=flat

Read up on the relative merits of the various EAP methods to decide which you'll use. (A glossary to start: http://www.iec.org/online/tutorials/.../glossary.html )

I also suggest reading the mailing list archives at FreeRADIUS.org for implementation tips and gotchas. http://www.mail-archive.com/freeradi...ts.cistron.nl/

Hope that is the jump-start you were looking for. Let me know if you need more help. I'm running EAP-TLS for a home wireless setup using FreeRADIUS.

Thanks for the pointers! Once I'm done with the doc, I might need to trouble you with some enquries

Once again, thank you

Scenerio: One bring in a laptop with WinXP SP! installed.

The balloon "Wireless One or more wireless networks are available. To see a list of available networks, click here" appears on the taskbar. Click on the View available wireless networks and then click on the Connect in the wireless configuration window that pop up (assume open system).

Task: At this point, instead of adding certificate, would it be possible to have a login page (Enter userid, Enter password prompt) displayed when the user open their browser and point to the freeradius server's IP, before they can proceed on with their normal surfing?

Thank you!

A log-on and redirect is out of my league, but here's what I think I know:
FreeRADIUS can serve as the basis for your scenario, authenticating users against a database or a simple list using passwords or certs, but I think you'll need more pieces to complete the picture.

I found a package that's free for 4 concurrent users, and reasonable for a commercial license.
http://www.mondru.com/hotspotd.html Check out the Hotspot Daemon package. Alternatively, there are APs with this kind of feature set built in. An example - http://www.us.zyxel.com/products/mod...lue=1021876859

Another consideration is encryption. 802.1x lets you control access, but does not protect the data stream. EAP-TLS with dynamic keys lets you avoid the hassle of passing out WEP keys to each client, but you still have to deal with certs.

EAP-MD5 uses a username/password, so is simpler to administer, but is vulnerable to man-in-the-middle and dictionary attacks. Microsoft removed MD5 from XP in SP1 because of this, so using it as an authentication method would require a third part supplicant.

Not sure any or all of this answers the question. Maybe someone else with RADIUS or hotspot experience can jump in and correct me.

edit - I overlooked an obvious choice for the captive portal portion. NoCatAuth seems to provide the front end you'll need for the RADIUS back end. http://nocat.net/

One last postscript on this topic and I promise I'll move on. I found this while perusing a list of live CDs. http://www.publicip.net/
A hotspot setup on a bootable CD. Listed features:
User Authentication
Homepage Redirection
Strict Firewall Rules
Content Filtering
I'm done.

Thank you very much for the various links! They are of immense help.