LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-10-2004, 05:26 PM   #1
davidas
Member
 
Registered: Mar 2004
Distribution: Debian 'Sarge'
Posts: 168

Rep: Reputation: 30
Guide needed on FreeRADIUS Implementation in a Wireless Lan environment


Purpose : To have a RADIUS (freeradius) server authentication for entry into a wireless lan.

1) Any special requirement needed for the AP?

2) How should the network layout look like with the RADIUS server?

3) In short, a jumpstart guide on how to implement a radius server in a wireless lan

Thanks !
 
Old 03-10-2004, 11:49 PM   #2
2Gnu
Senior Member
 
Registered: Jan 2002
Location: Southern California
Distribution: Slackware 14.0
Posts: 1,874

Rep: Reputation: 49
1. The AP must support an external RADIUS server. Depending on the client O/S and the authentication method, you may need additional features (dynamic WEP keys if using EAP-TLS with XP, for example).

2. A whitepaper with a functional diagram: http://www.mtghouse.com/MDC_8021X_White_Paper.pdf

3. http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
http://www.dslreports.com/forum/rema...6052~mode=flat

Read up on the relative merits of the various EAP methods to decide which you'll use. (A glossary to start: http://www.iec.org/online/tutorials/.../glossary.html )

I also suggest reading the mailing list archives at FreeRADIUS.org for implementation tips and gotchas. http://www.mail-archive.com/freeradi...ts.cistron.nl/

Hope that is the jump-start you were looking for. Let me know if you need more help. I'm running EAP-TLS for a home wireless setup using FreeRADIUS.
 
Old 03-11-2004, 08:48 AM   #3
davidas
Member
 
Registered: Mar 2004
Distribution: Debian 'Sarge'
Posts: 168

Original Poster
Rep: Reputation: 30
Thanks for the pointers! Once I'm done with the doc, I might need to trouble you with some enquries

Once again, thank you

Quote:
Originally posted by 2Gnu
1. The AP must support an external RADIUS server. Depending on the client O/S and the authentication method, you may need additional features (dynamic WEP keys if using EAP-TLS with XP, for example).

2. A whitepaper with a functional diagram: http://www.mtghouse.com/MDC_8021X_White_Paper.pdf

3. http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
http://www.dslreports.com/forum/rema...6052~mode=flat

Read up on the relative merits of the various EAP methods to decide which you'll use. (A glossary to start: http://www.iec.org/online/tutorials/.../glossary.html )

I also suggest reading the mailing list archives at FreeRADIUS.org for implementation tips and gotchas. http://www.mail-archive.com/freeradi...ts.cistron.nl/

Hope that is the jump-start you were looking for. Let me know if you need more help. I'm running EAP-TLS for a home wireless setup using FreeRADIUS.
 
Old 03-11-2004, 04:09 PM   #4
davidas
Member
 
Registered: Mar 2004
Distribution: Debian 'Sarge'
Posts: 168

Original Poster
Rep: Reputation: 30
Scenerio: One bring in a laptop with WinXP SP! installed.

The balloon "Wireless One or more wireless networks are available. To see a list of available networks, click here" appears on the taskbar. Click on the View available wireless networks and then click on the Connect in the wireless configuration window that pop up (assume open system).

Task: At this point, instead of adding certificate, would it be possible to have a login page (Enter userid, Enter password prompt) displayed when the user open their browser and point to the freeradius server's IP, before they can proceed on with their normal surfing?

Thank you!
 
Old 03-11-2004, 10:33 PM   #5
2Gnu
Senior Member
 
Registered: Jan 2002
Location: Southern California
Distribution: Slackware 14.0
Posts: 1,874

Rep: Reputation: 49
A log-on and redirect is out of my league, but here's what I think I know:
FreeRADIUS can serve as the basis for your scenario, authenticating users against a database or a simple list using passwords or certs, but I think you'll need more pieces to complete the picture.

I found a package that's free for 4 concurrent users, and reasonable for a commercial license.
http://www.mondru.com/hotspotd.html Check out the Hotspot Daemon package. Alternatively, there are APs with this kind of feature set built in. An example - http://www.us.zyxel.com/products/mod...lue=1021876859

Another consideration is encryption. 802.1x lets you control access, but does not protect the data stream. EAP-TLS with dynamic keys lets you avoid the hassle of passing out WEP keys to each client, but you still have to deal with certs.

EAP-MD5 uses a username/password, so is simpler to administer, but is vulnerable to man-in-the-middle and dictionary attacks. Microsoft removed MD5 from XP in SP1 because of this, so using it as an authentication method would require a third part supplicant.

Not sure any or all of this answers the question. Maybe someone else with RADIUS or hotspot experience can jump in and correct me.

edit - I overlooked an obvious choice for the captive portal portion. NoCatAuth seems to provide the front end you'll need for the RADIUS back end. http://nocat.net/

Last edited by 2Gnu; 03-12-2004 at 10:42 AM.
 
Old 03-12-2004, 09:30 PM   #6
2Gnu
Senior Member
 
Registered: Jan 2002
Location: Southern California
Distribution: Slackware 14.0
Posts: 1,874

Rep: Reputation: 49
One last postscript on this topic and I promise I'll move on. I found this while perusing a list of live CDs. http://www.publicip.net/
A hotspot setup on a bootable CD. Listed features:
User Authentication
Homepage Redirection
Strict Firewall Rules
Content Filtering
I'm done.
 
Old 03-14-2004, 09:55 AM   #7
davidas
Member
 
Registered: Mar 2004
Distribution: Debian 'Sarge'
Posts: 168

Original Poster
Rep: Reputation: 30
Thank you very much for the various links! They are of immense help.

Quote:
Originally posted by 2Gnu
One last postscript on this topic and I promise I'll move on. I found this while perusing a list of live CDs. http://www.publicip.net/
A hotspot setup on a bootable CD. Listed features:
User Authentication
Homepage Redirection
Strict Firewall Rules
Content Filtering
I'm done.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LAN address in an environment variable somewhere? bcfriesen Linux - Networking 1 11-02-2005 02:40 PM
Newbie LAN guide Blueshark Linux - Networking 2 07-07-2004 05:58 AM
Teaching Linux Guide needed rootking Linux - Software 3 07-02-2004 02:04 PM
idiots guide to CD burning needed woodywellhung Linux - Software 5 05-08-2004 07:12 PM
wireless shared internet service: which authentication implementation? F1uX Linux - Security 3 01-21-2004 06:43 AM


All times are GMT -5. The time now is 09:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration