Re: Basic usage: What do I do next to get this to work?

Wed, 31 Oct 2007 04:13:08 -0800 

 Alan DeKok wrote:

Doc. Caliban wrote:

All of our public workstations are on this interface so the machines are
verified at the proxy.


  So... how does it do that?

IPCop, the network router,  is the NAS in this case.


It has 3 interfaces, the WAN, LAN, and WiFi Access.  (Known in IPCop as 
Red, Green, and Blue.)  A fourth interface (Orange) can be added as a 
DMZ, but I don't need that at this time.



The Blue interface requires a MAC address for each node allowed to 
connect.  Typically you'd just put the AP's MAC in there and let the AP 
act as the DHCP server.  In reality you can add the MAC for any device 
you want, which is how the public machines are verified:  The only way 
they can connect in the first place is that I've added their MAC 
addresses to the access list.



IPCop can also require user authentication across both the Green and 
Blue interfaces (It's all or nothing in that regard) via a local ACL, 
identd,  LDAP, Windows authentication, or RADIUS.  My user database 
already exists in MySQL for other reasons, so using RADIUS to tap into 
that is the easiest solution.  For various reasons, I also do not want 
to add about 80% of the users to the windows AD. 

The plus side of this is that anyone using a public machine will have to 
be a valid user.  The downside is that the few people who are on the LAN 
(Green) interface will also have to deal with RADIUS even though they 
are already validated in the Windows domain.  It had been suggested to 
add their MAC's to the user database in MySQL and arrange it so that 
they are allowed to skip the RADIUS process, but dealing with that is 
well out of my skill set. 

In January we will receive a bunch of Cisco AP's to replace the rather 
motley collection that we are using now.  At that point I will look at 
handing the NAS functions to them, but for now it will happen at the router.



From the feedback, it sounds like I'm heading in the right direction 
with PEAP / MS-CHAP-V2, which is what my test laptop came up with 
automatically.  I will also be sure to incorporate the suggestions 
regarding the proper configuration of the  clients in implementing this.



This has been a great resource!  Thanks to everyone who has responded, 
and to whoever set up and maintains the mailing list.


Regards,

-Doc

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


























					Reply via email to