Hi,
Ivan has already given you much good advice. I wanted to add a few
comments.
In message <[EMAIL PROTECTED]>, Si St
<[EMAIL PROTECTED]> writes
The Router supports EAP/WPA-Enterprise(has a box for this choice;)
Automatic (WPA or WPA2), TKIP and AES
I would be very surprised if the RADIUS functionality on the router
supports anything other than the wireless access point. It sounds like
you have a consumer level unit - not an enterprise level router/firewall
here.
If so, all you can do with RADIUS is to control access to your wireless
network - the Authentication and Authorisation of AAA. Most consumer
level units do not support Accounting - though some do. If your router
doesn't support accounting, there's no point wasting any time setting up
accounting in FreeRADIUS!
You will not have the RADIUS functionality of more expensive enterprise
level wireless access points, such as the ability to return the VLAN to
connect the user to from the RADIUS server. There again, if this is a
consumer unit, it probably has no VLAN support anyway.
There will probably for all practical purposes be only wireless
clients:3 laptops and one workstation,but I have configured 2 IP
addresses for each laptop, one for their wireless card the other
address for the wired/cabled card in case they will be needed.
The access of the clients are controlled allowing only the specific MAC
addresses of each machine to connect to the router.(Routers Netfilter)
The machines have also fixed IPs reserved.
I very much doubt that your router can make any use of RADIUS for
handing out IP addresses, especially if the only mention of RADIUS is in
connection with the wireless features.
Handing out IP addresses via RADIUS is most commonly done with NASes
(dial in servers), VPN servers and CMTS (cable modem termination
systems).
DHCP is more typical for bridged scenarios such as wireless networks.
Your credentials get you connected to the wireless network, at which
point the computer gets an IP address and related information (gateway
address, DNS server(s), possibly WINS servers) via DHCP.
If you want better management of DHCP, one possibility is a DHCP server
that uses an LDAP backend. You could also use LDAP to store user
credentials for FreeRADIUS. However, with the size of your network, the
added complexity probably isn't worthwhile.
Start with the simplest possible setup and only add functionality when
you've got the basic stuff working. Keeping the configuration in a
revision control system helps, too, not least when upgrading the server
to a newer version. I use Subversion, but it is probably best to use
what you're most familiar with.
FreeRADIUS 2.0.3 will make your task much easier as it will build the
necessary certificates for EAP automatically. PEAP is pretty easy to get
going as there's no need to generate client certificates.
Whatever your eventual aims, start by getting your wireless users on
WPA2-Enterprise (or WPA2 / WPA mixed mode if you have any clients that
can't do WPA2) authenticating against FreeRADIUS with PEAP. Use the
users file for your users. Anything else should be built on top of that.
radiusd -X is your friend.
Best wishes,
David
--
David Wood
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
