Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4661
  • Last Modified:

Authentication with RADIUS and LDAP

Hello everyone i am new in the wireless world :)
I have a virtual machine with Fedora 10, with freeradius version 2.1.6 and openldap version 2.4.12. Both are installed in the same virtual machine and working fine, and i can successfully authenticate users that i have created in the ldap database, using the radtest command in the system console.i have a small cafeshop and i want to start using the radius server with the ldap there, so i will connect the radius server to an AP, but i dont know what configuration to put in the eap.conf from the radius server. i already read about authentication algorithms (EAP-TLS, EAP-TTLS, PEAP), but dont know which one is the best to work with ldap.

My question is which authentication algorithms should i use, what is the most easy to configure, and a tutorial how to do it :)
i want users to authenticate using username and password

THANKS
0
JIMYSPEED
Asked:
JIMYSPEED
  • 7
  • 4
  • 2
2 Solutions
 
meverestCommented:
Hi,

most wifi cafe solutions use a hotspot approach rather than try to auth at the wireless layer.  Two popular hotspot solutions are chillispot and mikrotik routerOS.  The former is open source, the latter is commercial.  Personally, my pick is always mikrotik - if you but a routerboard preloaded with the routerOS software, the cost of the hardware is not a great deal greater than an alternative AP that you would need to buy for chillispot to work.

Cheers!
0
 
JIMYSPEEDAuthor Commented:
Hi,
i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration, i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)

best regards
0
 
RikeRCommented:
I would use PEAPv0/MS-CHAPv2
It provide good security and is widely adopted. It can be implemented without the use of certificates.
EAP-TTLS requires server certificates and EAP-TLS even requires client certificates
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
JIMYSPEEDAuthor Commented:
Hi Riker

A solution without certificates its what i need :)
can you point me some tutorials about how to implement PEAPv0/MS-CHAPv2 ?

thanks in advance :)
0
 
RikeRCommented:
Personally I've never done this, but when I look at http://freeradius.org/radiusd/man/rlm_mschap.txt it doesn't look that differcult :)
0
 
meverestCommented:
>> i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration,
>>  i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)

OK, perhaps I am misunderstanding the question properly...

PAP/CHAP etc are generally used for wifi hotspot implementations like chillispot and mikrotik etc - these are generally implemented at an application layer where authentication is provided by the hotspot server via some kind of http mechanism.

EAP/PEAP etc are usually applied to the wireless layer - which presents the password as part of the mechanism used to associate the client to the wireless AP.  Therefore, these kinds of auth methods are rarely used in a hotspot kind of environment for many reasons, including the fact that you can't establish any kind of over-the-air credit card purchase system or advertising walled-garden and so forth (simply because the password is needed before the user even gets a chance to try using the web browser)

So I guess my question back to you ;-) is "what are you trying to do, exactly" - as in how do you want to user to experience the wireless service, and how (and when) do you issue passwords?

Cheers, Mike.
0
 
JIMYSPEEDAuthor Commented:
answer to RikeR:
Hi, i configured the mschap module using the link you give me, quite simple to configure :)
my config of mschap module:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
}

now my problem is with the file eap.conf, i put the default_eap_type in the eap module like this: default_eap_type = peap
 
and in the peap module like this:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}

 but it still doesn't work, can you tell me if is anything missing ?  
 
answer to meverest:
Hi  
maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden,  because i will not charge nothing for the use of it, it will be for free.

thanks :)
0
 
JIMYSPEEDAuthor Commented:
Any one have anymore tips ?
0
 
meverestCommented:
Hi,

>> maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be
>> used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden,  because i will not
>> charge nothing for the use of it, it will be for free.

not at all - your question seems perfectly clear to me.  I don't think my answer suggests otherwise...?

essentially, my suggestions to you are that you probably don't need to do your authentication at the wireless layer - just at the IP layer.  Doing it at IP layer tends to be simpler and easier to implement.

Sure, I know that you are saying that you have already implemented openLDAP/freeRadius, but it also seems that you have not got it actually working yet, and since I think it is probably overkill for what you really want to acheive, then I am recommending an alternative that will be simpler, easier to set up and manage: i.e. mikrotik RouterOS.

Cheers.
0
 
JIMYSPEEDAuthor Commented:
Hi

well the openldap/freeradius server is working, i am able to add users to the ladp database and the server responds to the queries with the radtest command , my only problem is finding a correct configuration to the eap.conf file of the freeradius. i post this question here on expert-exchange mainly because i did not find a solution to my problem elsewhere, not even in the freeradius mailing-list.
what do i need to use that mikrotik RouterOS ?

thanks
0
 
meverestCommented:
Hi,

under routerOS, you can add your radius server entry under 'radius' in winbox main menu.  enable 'wireless' checkbox if you want to do it over EAP/PEAP, check 'hotspot' box if you ant to use PAP/CHAP.

for wireless, select 'wireless' in winbox main menu, then click 'security' tab.  Make a new security profile, call it (say) EAP1, and enable WPA/EAP (and if you want WPA2/EAP) and click OK.  Now select interfaces tab of wireless tables, and double click the wireless interface.  Select 'wireless tab' and choose your wireless security profile (e.g. 'EAP1') in the 'security profile' select list.  Enable EAP accounting on 'RADIUS' tab if you want to.

If you want to use CHAP/PAP, select 'IP -> Hotspot' from admin menu, then click 'setup'.  Go through the setup wizard, changing options if you want to, and then finish.  Now click on 'server profiles' tab, and double click the hsprof1 (or active profile for the new hotspot) and select 'login' tab.  Make sure that PAP and CHAP are enabled, then click on 'RADIUS' tab - enable 'use radius', and enable accounting if you want to.

Make sure that you add the router IP address to your radius clients.conf table and with matching radius secret as entered in the routerOS radius config.  Run your radius in debug mode while you test password access to your wireless, and adjust the radius attributes as necessary.

Look for supported radius attributes here: http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Supported_RADIUS_Attributes

You will need the mikrotik radius dictionary for some of those.

Cheers,  Mike.
0
 
JIMYSPEEDAuthor Commented:
ok

 thanks for the help anyway

best regards
0
 
JIMYSPEEDAuthor Commented:
no real answer was presented to my real problem.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 7
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now