Solved

Authentication  with RADIUS and LDAP

Posted on 2010-09-15
15
3,903 Views
Last Modified: 2013-12-24
Hello everyone i am new in the wireless world :)
I have a virtual machine with Fedora 10, with freeradius version 2.1.6 and openldap version 2.4.12. Both are installed in the same virtual machine and working fine, and i can successfully authenticate users that i have created in the ldap database, using the radtest command in the system console.i have a small cafeshop and i want to start using the radius server with the ldap there, so i will connect the radius server to an AP, but i dont know what configuration to put in the eap.conf from the radius server. i already read about authentication algorithms (EAP-TLS, EAP-TTLS, PEAP), but dont know which one is the best to work with ldap.

My question is which authentication algorithms should i use, what is the most easy to configure, and a tutorial how to do it :)
i want users to authenticate using username and password

THANKS
0
Comment
Question by:JIMYSPEED
  • 7
  • 4
  • 2
15 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 33698603
Hi,

most wifi cafe solutions use a hotspot approach rather than try to auth at the wireless layer.  Two popular hotspot solutions are chillispot and mikrotik routerOS.  The former is open source, the latter is commercial.  Personally, my pick is always mikrotik - if you but a routerboard preloaded with the routerOS software, the cost of the hardware is not a great deal greater than an alternative AP that you would need to buy for chillispot to work.

Cheers!
0
 

Author Comment

by:JIMYSPEED
ID: 33707463
Hi,
i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration, i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)

best regards
0
 
LVL 5

Expert Comment

by:RikeR
ID: 33708782
I would use PEAPv0/MS-CHAPv2
It provide good security and is widely adopted. It can be implemented without the use of certificates.
EAP-TTLS requires server certificates and EAP-TLS even requires client certificates
0
 

Author Comment

by:JIMYSPEED
ID: 33709529
Hi Riker

A solution without certificates its what i need :)
can you point me some tutorials about how to implement PEAPv0/MS-CHAPv2 ?

thanks in advance :)
0
 
LVL 5

Assisted Solution

by:RikeR
RikeR earned 100 total points
ID: 33711098
Personally I've never done this, but when I look at http://freeradius.org/radiusd/man/rlm_mschap.txt it doesn't look that differcult :)
0
 
LVL 37

Expert Comment

by:meverest
ID: 33712753
>> i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration,
>>  i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)

OK, perhaps I am misunderstanding the question properly...

PAP/CHAP etc are generally used for wifi hotspot implementations like chillispot and mikrotik etc - these are generally implemented at an application layer where authentication is provided by the hotspot server via some kind of http mechanism.

EAP/PEAP etc are usually applied to the wireless layer - which presents the password as part of the mechanism used to associate the client to the wireless AP.  Therefore, these kinds of auth methods are rarely used in a hotspot kind of environment for many reasons, including the fact that you can't establish any kind of over-the-air credit card purchase system or advertising walled-garden and so forth (simply because the password is needed before the user even gets a chance to try using the web browser)

So I guess my question back to you ;-) is "what are you trying to do, exactly" - as in how do you want to user to experience the wireless service, and how (and when) do you issue passwords?

Cheers, Mike.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Author Comment

by:JIMYSPEED
ID: 33715197
answer to RikeR:
Hi, i configured the mschap module using the link you give me, quite simple to configure :)
my config of mschap module:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
}

now my problem is with the file eap.conf, i put the default_eap_type in the eap module like this: default_eap_type = peap
 
and in the peap module like this:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}

 but it still doesn't work, can you tell me if is anything missing ?  
 
answer to meverest:
Hi  
maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden,  because i will not charge nothing for the use of it, it will be for free.

thanks :)
0
 

Author Comment

by:JIMYSPEED
ID: 33737662
Any one have anymore tips ?
0
 
LVL 37

Expert Comment

by:meverest
ID: 33795099
Hi,

>> maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be
>> used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden,  because i will not
>> charge nothing for the use of it, it will be for free.

not at all - your question seems perfectly clear to me.  I don't think my answer suggests otherwise...?

essentially, my suggestions to you are that you probably don't need to do your authentication at the wireless layer - just at the IP layer.  Doing it at IP layer tends to be simpler and easier to implement.

Sure, I know that you are saying that you have already implemented openLDAP/freeRadius, but it also seems that you have not got it actually working yet, and since I think it is probably overkill for what you really want to acheive, then I am recommending an alternative that will be simpler, easier to set up and manage: i.e. mikrotik RouterOS.

Cheers.
0
 

Author Comment

by:JIMYSPEED
ID: 33819454
Hi

well the openldap/freeradius server is working, i am able to add users to the ladp database and the server responds to the queries with the radtest command , my only problem is finding a correct configuration to the eap.conf file of the freeradius. i post this question here on expert-exchange mainly because i did not find a solution to my problem elsewhere, not even in the freeradius mailing-list.
what do i need to use that mikrotik RouterOS ?

thanks
0
 
LVL 37

Accepted Solution

by:
meverest earned 400 total points
ID: 33819556
Hi,

under routerOS, you can add your radius server entry under 'radius' in winbox main menu.  enable 'wireless' checkbox if you want to do it over EAP/PEAP, check 'hotspot' box if you ant to use PAP/CHAP.

for wireless, select 'wireless' in winbox main menu, then click 'security' tab.  Make a new security profile, call it (say) EAP1, and enable WPA/EAP (and if you want WPA2/EAP) and click OK.  Now select interfaces tab of wireless tables, and double click the wireless interface.  Select 'wireless tab' and choose your wireless security profile (e.g. 'EAP1') in the 'security profile' select list.  Enable EAP accounting on 'RADIUS' tab if you want to.

If you want to use CHAP/PAP, select 'IP -> Hotspot' from admin menu, then click 'setup'.  Go through the setup wizard, changing options if you want to, and then finish.  Now click on 'server profiles' tab, and double click the hsprof1 (or active profile for the new hotspot) and select 'login' tab.  Make sure that PAP and CHAP are enabled, then click on 'RADIUS' tab - enable 'use radius', and enable accounting if you want to.

Make sure that you add the router IP address to your radius clients.conf table and with matching radius secret as entered in the routerOS radius config.  Run your radius in debug mode while you test password access to your wireless, and adjust the radius attributes as necessary.

Look for supported radius attributes here: http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Supported_RADIUS_Attributes

You will need the mikrotik radius dictionary for some of those.

Cheers,  Mike.
0
 

Author Comment

by:JIMYSPEED
ID: 33840335
ok

 thanks for the help anyway

best regards
0
 

Author Closing Comment

by:JIMYSPEED
ID: 33840399
no real answer was presented to my real problem.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
unknown svchost service useing lot of network resources 12 55
Video Streaming 6 56
DNS @ Naked Domain Record 5 67
PCI Compliance Free scan 2 76
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now