JIMYSPEED
asked on
Authentication with RADIUS and LDAP
Hello everyone i am new in the wireless world :)
I have a virtual machine with Fedora 10, with freeradius version 2.1.6 and openldap version 2.4.12. Both are installed in the same virtual machine and working fine, and i can successfully authenticate users that i have created in the ldap database, using the radtest command in the system console.i have a small cafeshop and i want to start using the radius server with the ldap there, so i will connect the radius server to an AP, but i dont know what configuration to put in the eap.conf from the radius server. i already read about authentication algorithms (EAP-TLS, EAP-TTLS, PEAP), but dont know which one is the best to work with ldap.
My question is which authentication algorithms should i use, what is the most easy to configure, and a tutorial how to do it :)
i want users to authenticate using username and password
THANKS
I have a virtual machine with Fedora 10, with freeradius version 2.1.6 and openldap version 2.4.12. Both are installed in the same virtual machine and working fine, and i can successfully authenticate users that i have created in the ldap database, using the radtest command in the system console.i have a small cafeshop and i want to start using the radius server with the ldap there, so i will connect the radius server to an AP, but i dont know what configuration to put in the eap.conf from the radius server. i already read about authentication algorithms (EAP-TLS, EAP-TTLS, PEAP), but dont know which one is the best to work with ldap.
My question is which authentication algorithms should i use, what is the most easy to configure, and a tutorial how to do it :)
i want users to authenticate using username and password
THANKS
ASKER
Hi,
i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration, i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)
best regards
i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration, i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)
best regards
I would use PEAPv0/MS-CHAPv2
It provide good security and is widely adopted. It can be implemented without the use of certificates.
EAP-TTLS requires server certificates and EAP-TLS even requires client certificates
It provide good security and is widely adopted. It can be implemented without the use of certificates.
EAP-TTLS requires server certificates and EAP-TLS even requires client certificates
ASKER
Hi Riker
A solution without certificates its what i need :)
can you point me some tutorials about how to implement PEAPv0/MS-CHAPv2 ?
thanks in advance :)
A solution without certificates its what i need :)
can you point me some tutorials about how to implement PEAPv0/MS-CHAPv2 ?
thanks in advance :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration,
>> i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)
OK, perhaps I am misunderstanding the question properly...
PAP/CHAP etc are generally used for wifi hotspot implementations like chillispot and mikrotik etc - these are generally implemented at an application layer where authentication is provided by the hotspot server via some kind of http mechanism.
EAP/PEAP etc are usually applied to the wireless layer - which presents the password as part of the mechanism used to associate the client to the wireless AP. Therefore, these kinds of auth methods are rarely used in a hotspot kind of environment for many reasons, including the fact that you can't establish any kind of over-the-air credit card purchase system or advertising walled-garden and so forth (simply because the password is needed before the user even gets a chance to try using the web browser)
So I guess my question back to you ;-) is "what are you trying to do, exactly" - as in how do you want to user to experience the wireless service, and how (and when) do you issue passwords?
Cheers, Mike.
>> i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)
OK, perhaps I am misunderstanding the question properly...
PAP/CHAP etc are generally used for wifi hotspot implementations like chillispot and mikrotik etc - these are generally implemented at an application layer where authentication is provided by the hotspot server via some kind of http mechanism.
EAP/PEAP etc are usually applied to the wireless layer - which presents the password as part of the mechanism used to associate the client to the wireless AP. Therefore, these kinds of auth methods are rarely used in a hotspot kind of environment for many reasons, including the fact that you can't establish any kind of over-the-air credit card purchase system or advertising walled-garden and so forth (simply because the password is needed before the user even gets a chance to try using the web browser)
So I guess my question back to you ;-) is "what are you trying to do, exactly" - as in how do you want to user to experience the wireless service, and how (and when) do you issue passwords?
Cheers, Mike.
ASKER
answer to RikeR:
Hi, i configured the mschap module using the link you give me, quite simple to configure :)
my config of mschap module:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
}
now my problem is with the file eap.conf, i put the default_eap_type in the eap module like this: default_eap_type = peap
and in the peap module like this:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
but it still doesn't work, can you tell me if is anything missing ?
answer to meverest:
Hi
maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden, because i will not charge nothing for the use of it, it will be for free.
thanks :)
Hi, i configured the mschap module using the link you give me, quite simple to configure :)
my config of mschap module:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
}
now my problem is with the file eap.conf, i put the default_eap_type in the eap module like this: default_eap_type = peap
and in the peap module like this:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
but it still doesn't work, can you tell me if is anything missing ?
answer to meverest:
Hi
maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden, because i will not charge nothing for the use of it, it will be for free.
thanks :)
ASKER
Any one have anymore tips ?
Hi,
>> maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be
>> used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden, because i will not
>> charge nothing for the use of it, it will be for free.
not at all - your question seems perfectly clear to me. I don't think my answer suggests otherwise...?
essentially, my suggestions to you are that you probably don't need to do your authentication at the wireless layer - just at the IP layer. Doing it at IP layer tends to be simpler and easier to implement.
Sure, I know that you are saying that you have already implemented openLDAP/freeRadius, but it also seems that you have not got it actually working yet, and since I think it is probably overkill for what you really want to acheive, then I am recommending an alternative that will be simpler, easier to set up and manage: i.e. mikrotik RouterOS.
Cheers.
>> maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be
>> used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden, because i will not
>> charge nothing for the use of it, it will be for free.
not at all - your question seems perfectly clear to me. I don't think my answer suggests otherwise...?
essentially, my suggestions to you are that you probably don't need to do your authentication at the wireless layer - just at the IP layer. Doing it at IP layer tends to be simpler and easier to implement.
Sure, I know that you are saying that you have already implemented openLDAP/freeRadius, but it also seems that you have not got it actually working yet, and since I think it is probably overkill for what you really want to acheive, then I am recommending an alternative that will be simpler, easier to set up and manage: i.e. mikrotik RouterOS.
Cheers.
ASKER
Hi
well the openldap/freeradius server is working, i am able to add users to the ladp database and the server responds to the queries with the radtest command , my only problem is finding a correct configuration to the eap.conf file of the freeradius. i post this question here on expert-exchange mainly because i did not find a solution to my problem elsewhere, not even in the freeradius mailing-list.
what do i need to use that mikrotik RouterOS ?
thanks
well the openldap/freeradius server is working, i am able to add users to the ladp database and the server responds to the queries with the radtest command , my only problem is finding a correct configuration to the eap.conf file of the freeradius. i post this question here on expert-exchange mainly because i did not find a solution to my problem elsewhere, not even in the freeradius mailing-list.
what do i need to use that mikrotik RouterOS ?
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok
thanks for the help anyway
best regards
thanks for the help anyway
best regards
ASKER
no real answer was presented to my real problem.
most wifi cafe solutions use a hotspot approach rather than try to auth at the wireless layer. Two popular hotspot solutions are chillispot and mikrotik routerOS. The former is open source, the latter is commercial. Personally, my pick is always mikrotik - if you but a routerboard preloaded with the routerOS software, the cost of the hardware is not a great deal greater than an alternative AP that you would need to buy for chillispot to work.
Cheers!