Hi,m Thank you for the informative reply. It'll take a couple of days to gigest all of it (me being so new to this and all :) ), but I think I can take a look at the PEAP solution. As far as the the APs, believe me, this is a fight I've already lost. Being a school, we have next to nothing in the IT budget (it took me a year to convince them that yes, we do need managed switches), and even getting money for infrastructure is a hassle. Thank you,
German Kalinec David Wood-6 wrote: > > Hi German, > > You've already had much wisdom; I'm going to try a comprehensive reply > to the whole problem. > > In message <[EMAIL PROTECTED]>, gkalinec > <[EMAIL PROTECTED]> writes >>I work for a mid-size private school (about 700-800 people on campus), and >>I'm trying to set up a way to limit the use of our wireless to our >>students/staff. The main problem that I'm encountering is finding a >>solution that will fit our needs. > > Yours is hardly the biggest wireless deployment; there are solutions > that exist for this. > > >> A little background first... >>When I first started (about a year ago, and I'm still the only IT person >>managing the whole school network) we had crappy wireless at different >>places on campus for students and staff to access our network. The person >>who set these up (my current boss) simply did a MAC access control list on >>each AP and made the students and staff come to him to register their >>computers. This was a major pain since each of our APs (7 of them) had to >>have the new MAC address manually added to each AP every time we had a new >>laptop. The problem with this solution (aside from having to enter the MACs >>7 times) was that we eventually run out of room in the MAC table. > > MAC authentication is trivially broken. Most wireless cards can work > with a spoofed MAC address, and MAC addresses are trivially sniffed from > the air. > > As you've also found out, maintainability of MAC tables is an issue. > Some APs (including the 3Com 8760 - more about that in a minute) support > MAC authentication against a RADIUS server, but it's usually not worth > the effort, as it provides little if any extra security on top of WPA. > > In fact, the 3Com 8760 doesn't support MAC authentication against a > RADIUS server when using 802.1x. You could configure the RADIUS server > to verify the MAC address when dealing with EAP, but this adds so little > to security it isn't worth the hassle and the maintenance effort in my > opinion. > > >>After >>some negotiating we got new wireless, but still not top of the line (I >>wanted CISCOs, we got Netgear WPN802s instead), and I found that we still >>run out space in the table (it now help 50, we now have about 100+ laptops >>being used by students). > > It doesn't have to be Cisco to be decent; there are some reasonable > enough enterprise APs from other vendors. > > > The latest AP I bought was a 3Com 8760, which is a dual band (802.11a > and 802.11b/g) AP, capable of WPA and WPA2 with four virtual access > points per band (each with a different SSID, encryption and > authentication settings, and optionally a different VLAN as well). It > supports 802.1q tagged VLAN operation, RADIUS authentication and > accounting, and you can return which VLAN to connect a user to in the > Access-Accept packet from your RADIUS server. The 8760 is a Power over > Ethernet device, and is supplied with simple Power over Ethernet > injector. > > The only drawbacks I've found are that the web interface doesn't work > perfectly in Firefox (it's documented as IE only in the current firmware > release), RADIUS accounting has to be set at the CLI (again, documented > as a limitation in the current firmware) and the PoE injector isn't > fully 802.3af compliant, in that it doesn't employ any resistive sensing > and is permanently live instead (which means you have to be careful what > you connect it to - I inadvertently blew up a cheap network tester by > connecting it to the other end of one of these). > > It's not just the RADIUS accounting that you need to set up in the CLI - > in fact, there's a few useful bits and pieces not supported in the web > interface. Things like WPA2 pre-authentication are most easily > configured in the CLI. Fortunately the user guide has full documentation > of all the CLI commands. > > > There is a single band version of the 8760, the 7760 (capable of 802.11a > or 802.11b/g, but not both at once unlike the 8760). > > > > I had a quick look at the manual of the Netgear WPN802v1, and it's a > device that I'd class only as a consumer grade AP - in fact, it falls > well short of what most consumer grade APs can achieve. Despite the > documentation of EAP and WPA2 in the appendix to the manual, it doesn't > appear from the specification to support anything higher than WPA-PSK, > which is useless in this context. Handing out a passphrase to 100+ users > just isn't on. > > > You hint later that the Netgear APs have WPA Enterprise support - that's > WPA with RADIUS rather than a Pre Shared Key. If not, you're going to > need new APs - indeed, you may find the that existing APs really aren't > up to the job even if they do have WPA Enterprise support. The 'sales' > pitch is that you will be securing your wireless network properly. I'd > go for a proper enterprise AP this time, and you could certainly > evaluate the 3Com units I've mentioned. > > Just to indicate how an enterprise grade AP needn't cost a fortune, > current pricing in the UK is around GBP75 for the Netgear WPN802, whilst > the 3Com 7760 can be had for GBP110 and the 3Com 8760 for GBP175. Power > over Ethernet makes installation much easier. Overall, the price of > decent network infrastructure is coming down; a decent 24 port 10/100 > plus 2 port 10/100/1000 L2 managed switch such as a HP Procurve 2510-24 > is around GBP200 now. > > > If everything has WPA2 support, deploy WPA2, but you may have some > clients that only support WPA AES, in which case WPA2-Mixed mode may > come to the rescue. If you have some clients that only support WPA TKIP, > you'll probably have to use WPA Enterprise TKIP. > > It's in this sort of scenario that the virtual APs of the 3Com units are > useful - you can use WPA2 when possible, whilst accommodating kit that > can't manage WPA2 as well, optionally on a separate VLAN that maybe > doesn't have access to more secure internal services. > > Indeed, you can use the 3Com APs to provide simultaneous wireless > hotspot service via a captive portal setup (such as Chillispot) and > RADIUS authenticated access to the internal network for authorised users > - again, it's the virtual AP feature that comes in so useful. > > >>I know that the solution is to implement a radius >>authentication with the APs that we have. The APs support radius servers >>using either WAP or legacy 802.1X (with WEP keys). I did tons of research >>on WAP (being the preferred method), but I could not get around the fact >>that certificates MUST be installed in the client computer in order for the >>protocol to work. This is simply impossible since most of our students (and >>staff for that matter) are unable to install certificates (or unwilling) and >>having to install certificates manualy myself is just too time consuming. > > You mean WPA, not WEP. > > >>So my first questions is what methods would you suggest for this kind of set >>up? > > Many wireless supplicants, such as the Microsoft one built into Windows > XP, only support EAP-TLS and "PEAP" (technically PEAPv0/EAP-MSCHAPv2). > There are other forms of EAP, such as EAP-TTLS, but without broad > supplicant support, they're no use to you. > > EAP-TLS requires client side certificates. I use it - but for you it's > out of the question. You need a robust infrastructure to issue client > certificates and the support burden is heavy, too. > > > You should therefore look at PEAP - the only certificate required in > that case is one for the RADIUS server, with the clients using user > names and passwords. > > As others have said, if you have an authentication database already, you > may be able to leverage that for PEAP in FreeRADIUS (using SQL, LDAP, > Active Directory or Kerberos as appropriate). It depends on the password > format, mainly. > > > You may be able to get away with creating your own CA (or using an > existing CA under your control) when creating the server certificate, > but that may require you to install root certificates on at least some > machines. There's no harm testing with a certificate issued on your own > CA - if it causes problems, get a certificate for the RADIUS server from > a CA whose root certificate is in all the operating systems in question. > Make sure the certificate signing request has the appropriate > extensions, however! > > > Using PEAP may give you problems with Windows XP machines that aren't > upgraded to SP2 (and you may additionally need the KB885453 hotfix). You > can probably get away with setting the cipher_list in eap.conf to HIGH > for added security; certainly that works with all my wireless clients, > though it does depend which ciphers your wireless supplicants support. > > >>My original idea was to implement the legacy 802.1x option. i managed to >>set up the AP correctly and the radius server to authenticate based on MAC >>addresses, but I could not find a way to get the WEP key back to the client >>laptop. I'm not even sure it is possible, really, and I'm hesitant to try >>to have our students and staff enter a WEP key into their laptops themselves >>(since when they fail they will come for me to set it up, and if I wanted to >>change the WEP key, I would have to re-change it on every laptop). Is tehre >>any way for the radius server to send back the WEP key to the client? I >>know it must seem horribly insecure (and it is), but I have to show my boss >>a solution that is better than simply leaving our network open. >>Can some one help or suggest a better way of resolving this? > > I'd forget all about WEP with 802.1x; it's not well standardised, it's > insecure because WEP is insecure and client support is often not as good > as WPA. WPA2 Enterprise (or if you haven't got the necessary support WPA > Enterprise) is where you should be looking; the necessary keys to enable > it to work are generated by the RADIUS server and passed to the AP. > > > > In summary, I recommend setting up a PEAP setup using FreeRADIUS, and > using that with WPA2 Enterprise on the APs, or WPA Enterprise if that's > all they support. > > If that proves impractical, some kind of Chillispot or similar captive > portal setup based around RADIUS is possible, but that won't encrypt the > data on the wireless network, which should be one of your aims. > Chillispot can be used with WPA, but I have no experience of doing this. > > MAC authentication, in my opinion, isn't worth bothering with - the > security it provides is trivially broken, and management is a nightmare. > > > If you need new APs, something like the 3Com 7760 or 8760 would be more > suitable than the arguably consumer grade Netgear units you have, not > least because you can accommodate legacy clients that can't be upgraded > to a new secure wireless network whilst requiring all new clients to > operate on WPA2 Enterprise using PEAP. > > > > > David > -- > David Wood > [EMAIL PROTECTED] > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221.html#a8624324 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html