Solved

Authentication  with RADIUS and LDAP

Posted on 2010-09-15
15
4,075 Views
Last Modified: 2013-12-24
Hello everyone i am new in the wireless world :)
I have a virtual machine with Fedora 10, with freeradius version 2.1.6 and openldap version 2.4.12. Both are installed in the same virtual machine and working fine, and i can successfully authenticate users that i have created in the ldap database, using the radtest command in the system console.i have a small cafeshop and i want to start using the radius server with the ldap there, so i will connect the radius server to an AP, but i dont know what configuration to put in the eap.conf from the radius server. i already read about authentication algorithms (EAP-TLS, EAP-TTLS, PEAP), but dont know which one is the best to work with ldap.

My question is which authentication algorithms should i use, what is the most easy to configure, and a tutorial how to do it :)
i want users to authenticate using username and password

THANKS
0
Comment
Question by:JIMYSPEED
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
15 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 33698603
Hi,

most wifi cafe solutions use a hotspot approach rather than try to auth at the wireless layer.  Two popular hotspot solutions are chillispot and mikrotik routerOS.  The former is open source, the latter is commercial.  Personally, my pick is always mikrotik - if you but a routerboard preloaded with the routerOS software, the cost of the hardware is not a great deal greater than an alternative AP that you would need to buy for chillispot to work.

Cheers!
0
 

Author Comment

by:JIMYSPEED
ID: 33707463
Hi,
i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration, i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)

best regards
0
 
LVL 5

Expert Comment

by:RikeR
ID: 33708782
I would use PEAPv0/MS-CHAPv2
It provide good security and is widely adopted. It can be implemented without the use of certificates.
EAP-TTLS requires server certificates and EAP-TLS even requires client certificates
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 

Author Comment

by:JIMYSPEED
ID: 33709529
Hi Riker

A solution without certificates its what i need :)
can you point me some tutorials about how to implement PEAPv0/MS-CHAPv2 ?

thanks in advance :)
0
 
LVL 5

Assisted Solution

by:RikeR
RikeR earned 100 total points
ID: 33711098
Personally I've never done this, but when I look at http://freeradius.org/radiusd/man/rlm_mschap.txt it doesn't look that differcult :)
0
 
LVL 37

Expert Comment

by:meverest
ID: 33712753
>> i already know chilipot, i have already worked with it before. And since i had already the freeradius and the openldap working with a minimum configuration,
>>  i thought why not use it, and this takes me back to my question lol which wireless authentication to use :)

OK, perhaps I am misunderstanding the question properly...

PAP/CHAP etc are generally used for wifi hotspot implementations like chillispot and mikrotik etc - these are generally implemented at an application layer where authentication is provided by the hotspot server via some kind of http mechanism.

EAP/PEAP etc are usually applied to the wireless layer - which presents the password as part of the mechanism used to associate the client to the wireless AP.  Therefore, these kinds of auth methods are rarely used in a hotspot kind of environment for many reasons, including the fact that you can't establish any kind of over-the-air credit card purchase system or advertising walled-garden and so forth (simply because the password is needed before the user even gets a chance to try using the web browser)

So I guess my question back to you ;-) is "what are you trying to do, exactly" - as in how do you want to user to experience the wireless service, and how (and when) do you issue passwords?

Cheers, Mike.
0
 

Author Comment

by:JIMYSPEED
ID: 33715197
answer to RikeR:
Hi, i configured the mschap module using the link you give me, quite simple to configure :)
my config of mschap module:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
}

now my problem is with the file eap.conf, i put the default_eap_type in the eap module like this: default_eap_type = peap
 
and in the peap module like this:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}

 but it still doesn't work, can you tell me if is anything missing ?  
 
answer to meverest:
Hi  
maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden,  because i will not charge nothing for the use of it, it will be for free.

thanks :)
0
 

Author Comment

by:JIMYSPEED
ID: 33737662
Any one have anymore tips ?
0
 
LVL 37

Expert Comment

by:meverest
ID: 33795099
Hi,

>> maybe i did not explain myself properly, i want the user to authenticate using username and password, i will create the users myself in the ldap database, i only want the internet to be
>> used by the ppl i want (example: only friends, or regular clients), i do not need nor i want a over-the-air credit card purchase system or advertising walled-garden,  because i will not
>> charge nothing for the use of it, it will be for free.

not at all - your question seems perfectly clear to me.  I don't think my answer suggests otherwise...?

essentially, my suggestions to you are that you probably don't need to do your authentication at the wireless layer - just at the IP layer.  Doing it at IP layer tends to be simpler and easier to implement.

Sure, I know that you are saying that you have already implemented openLDAP/freeRadius, but it also seems that you have not got it actually working yet, and since I think it is probably overkill for what you really want to acheive, then I am recommending an alternative that will be simpler, easier to set up and manage: i.e. mikrotik RouterOS.

Cheers.
0
 

Author Comment

by:JIMYSPEED
ID: 33819454
Hi

well the openldap/freeradius server is working, i am able to add users to the ladp database and the server responds to the queries with the radtest command , my only problem is finding a correct configuration to the eap.conf file of the freeradius. i post this question here on expert-exchange mainly because i did not find a solution to my problem elsewhere, not even in the freeradius mailing-list.
what do i need to use that mikrotik RouterOS ?

thanks
0
 
LVL 37

Accepted Solution

by:
meverest earned 400 total points
ID: 33819556
Hi,

under routerOS, you can add your radius server entry under 'radius' in winbox main menu.  enable 'wireless' checkbox if you want to do it over EAP/PEAP, check 'hotspot' box if you ant to use PAP/CHAP.

for wireless, select 'wireless' in winbox main menu, then click 'security' tab.  Make a new security profile, call it (say) EAP1, and enable WPA/EAP (and if you want WPA2/EAP) and click OK.  Now select interfaces tab of wireless tables, and double click the wireless interface.  Select 'wireless tab' and choose your wireless security profile (e.g. 'EAP1') in the 'security profile' select list.  Enable EAP accounting on 'RADIUS' tab if you want to.

If you want to use CHAP/PAP, select 'IP -> Hotspot' from admin menu, then click 'setup'.  Go through the setup wizard, changing options if you want to, and then finish.  Now click on 'server profiles' tab, and double click the hsprof1 (or active profile for the new hotspot) and select 'login' tab.  Make sure that PAP and CHAP are enabled, then click on 'RADIUS' tab - enable 'use radius', and enable accounting if you want to.

Make sure that you add the router IP address to your radius clients.conf table and with matching radius secret as entered in the routerOS radius config.  Run your radius in debug mode while you test password access to your wireless, and adjust the radius attributes as necessary.

Look for supported radius attributes here: http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Supported_RADIUS_Attributes

You will need the mikrotik radius dictionary for some of those.

Cheers,  Mike.
0
 

Author Comment

by:JIMYSPEED
ID: 33840335
ok

 thanks for the help anyway

best regards
0
 

Author Closing Comment

by:JIMYSPEED
ID: 33840399
no real answer was presented to my real problem.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to protecting Oracle Database servers and systems, there are a ton of myths out there. Here are the most common.
Recently I was talking with Tim Sharp, one of my colleagues from our Technical Account Manager team about MongoDB’s scalability. While doing some quick training with some of the Percona team, Tim brought something to my attention...
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question