Solved

Authentication  with RADIUS and LDAP

Posted on 2010-09-15
15
3,857 Views
Last Modified: 2013-12-24
Hello everyone i am new in the wireless world :)
I have a virtual machine with Fedora 10, with freeradius version 2.1.6 and openldap version 2.4.12. Both are installed in the same virtual machine and working fine, and i can successfully authenticate users that i have created in the ldap database, using the radtest command in the system console.i have a small cafeshop and i want to start using the radius server with the ldap there, so i will connect the radius server to an AP, but i dont know what configuration to put in the eap.conf from the radius server. i already read about authentication algorithms (EAP-TLS, EAP-TTLS, PEAP), but dont know which one is the best to work with ldap.

My question is which authentication algorithms should i use, what is the most easy to configure, and a tutorial how to do it :)
i want users to authenticate using username and password

THANKS
0
Comment
Question by:JIMYSPEED
  • 7
  • 4
  • 2
15 Comments
 
LVL 37

Expert Comment

by:meverest
Comment Utility
Hi,

most wifi cafe solutions use a hotspot approach rather than try to auth at the wireless layer.  Two popular hotspot solutions are chillispot and mikrotik routerOS.  The former is open source, the latter is commercial.  Personally, my pick is always mikrotik - if you but a routerboard preloaded with the routerOS software, the cost of the hardware is not a great deal greater than an alternative AP that you would need to buy for chillispot to work.

Cheers!
0
 

Author Comment

by:JIMYSPEED
Comment Utility
Hi,
i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration, i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)

best regards
0
 
LVL 5

Expert Comment

by:RikeR
Comment Utility
I would use PEAPv0/MS-CHAPv2
It provide good security and is widely adopted. It can be implemented without the use of certificates.
EAP-TTLS requires server certificates and EAP-TLS even requires client certificates
0
 

Author Comment

by:JIMYSPEED
Comment Utility
Hi Riker

A solution without certificates its what i need :)
can you point me some tutorials about how to implement PEAPv0/MS-CHAPv2 ?

thanks in advance :)
0
 
LVL 5

Assisted Solution

by:RikeR
RikeR earned 100 total points
Comment Utility
Personally I've never done this, but when I look at http://freeradius.org/radiusd/man/rlm_mschap.txt it doesn't look that differcult :)
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
>> i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration,
>>  i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)

OK, perhaps I am misunderstanding the question properly...

PAP/CHAP etc are generally used for wifi hotspot implementations like chillispot and mikrotik etc - these are generally implemented at an application layer where authentication is provided by the hotspot server via some kind of http mechanism.

EAP/PEAP etc are usually applied to the wireless layer - which presents the password as part of the mechanism used to associate the client to the wireless AP.  Therefore, these kinds of auth methods are rarely used in a hotspot kind of environment for many reasons, including the fact that you can't establish any kind of over-the-air credit card purchase system or advertising walled-garden and so forth (simply because the password is needed before the user even gets a chance to try using the web browser)

So I guess my question back to you ;-) is "what are you trying to do, exactly" - as in how do you want to user to experience the wireless service, and how (and when) do you issue passwords?

Cheers, Mike.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:JIMYSPEED
Comment Utility
answer to RikeR:
Hi, i configured the mschap module using the link you give me, quite simple to configure :)
my config of mschap module:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
}

now my problem is with the file eap.conf, i put the default_eap_type in the eap module like this: default_eap_type = peap
 
and in the peap module like this:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}

 but it still doesn't work, can you tell me if is anything missing ?  
 
answer to meverest:
Hi  
maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden,  because i will not charge nothing for the use of it, it will be for free.

thanks :)
0
 

Author Comment

by:JIMYSPEED
Comment Utility
Any one have anymore tips ?
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
Hi,

>> maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be
>> used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden,  because i will not
>> charge nothing for the use of it, it will be for free.

not at all - your question seems perfectly clear to me.  I don't think my answer suggests otherwise...?

essentially, my suggestions to you are that you probably don't need to do your authentication at the wireless layer - just at the IP layer.  Doing it at IP layer tends to be simpler and easier to implement.

Sure, I know that you are saying that you have already implemented openLDAP/freeRadius, but it also seems that you have not got it actually working yet, and since I think it is probably overkill for what you really want to acheive, then I am recommending an alternative that will be simpler, easier to set up and manage: i.e. mikrotik RouterOS.

Cheers.
0
 

Author Comment

by:JIMYSPEED
Comment Utility
Hi

well the openldap/freeradius server is working, i am able to add users to the ladp database and the server responds to the queries with the radtest command , my only problem is finding a correct configuration to the eap.conf file of the freeradius. i post this question here on expert-exchange mainly because i did not find a solution to my problem elsewhere, not even in the freeradius mailing-list.
what do i need to use that mikrotik RouterOS ?

thanks
0
 
LVL 37

Accepted Solution

by:
meverest earned 400 total points
Comment Utility
Hi,

under routerOS, you can add your radius server entry under 'radius' in winbox main menu.  enable 'wireless' checkbox if you want to do it over EAP/PEAP, check 'hotspot' box if you ant to use PAP/CHAP.

for wireless, select 'wireless' in winbox main menu, then click 'security' tab.  Make a new security profile, call it (say) EAP1, and enable WPA/EAP (and if you want WPA2/EAP) and click OK.  Now select interfaces tab of wireless tables, and double click the wireless interface.  Select 'wireless tab' and choose your wireless security profile (e.g. 'EAP1') in the 'security profile' select list.  Enable EAP accounting on 'RADIUS' tab if you want to.

If you want to use CHAP/PAP, select 'IP -> Hotspot' from admin menu, then click 'setup'.  Go through the setup wizard, changing options if you want to, and then finish.  Now click on 'server profiles' tab, and double click the hsprof1 (or active profile for the new hotspot) and select 'login' tab.  Make sure that PAP and CHAP are enabled, then click on 'RADIUS' tab - enable 'use radius', and enable accounting if you want to.

Make sure that you add the router IP address to your radius clients.conf table and with matching radius secret as entered in the routerOS radius config.  Run your radius in debug mode while you test password access to your wireless, and adjust the radius attributes as necessary.

Look for supported radius attributes here: http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Supported_RADIUS_Attributes

You will need the mikrotik radius dictionary for some of those.

Cheers,  Mike.
0
 

Author Comment

by:JIMYSPEED
Comment Utility
ok

 thanks for the help anyway

best regards
0
 

Author Closing Comment

by:JIMYSPEED
Comment Utility
no real answer was presented to my real problem.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now