On 3 Jul 2012, at 09:16, Andreas Meyer wrote: > >> >>> Where can I read what other possibilites there are to authorize a client >>> for an AP using a radiusserver as backend. >> >> it depends what you want to do. you were talking about authenticating >> using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS) >> which means the client uses a certificate > > OK > > I wonder what other possibilities than certificates there are to authorize > a client to a network using WLAN. Like Hotspots, internet cafes and hotels > for example. I mean, handing over a certifacte to a client on an USB-stick > seems unpracticable to me.
In the world of EAP certificates are needed. For EAP-TLS based methods you need a certificate to identify the RADIUS server. When you begin an authentication attempt the RADIUS server will pass its server cert to the client, so the client can verify it is talking to a legitimate RADIUS server. Without the server cert, how do you know you are talking to your RADIUS server and not some rogue. Aside from the server cert you can also have client certs, which are used to identify the client to the server. However you don't have to use client certs, you can use other authentications e.g. username / password The most common password based authentications are MSCHAPv2 and PAP. Of course these authentications need to be wrapped in a secure tunnel, so will be inside of an EAP-TLS method e.g. PEAP or TTLS PEAP/MSCHAPv2 TTLS/PAP TTLS/MSCHAPv2 Out of the box without any config FreeRADIUS will do PEAP. With a fresh install all you need to do is add a user password to raddb/users e.g. joe NT-Password := "ABCDEF1234567890ABCDEF1234567890" Reply-Message = "Hello, %{User-Name}" andy Cleartext-password := "p4ssw0rd" Reply-Message = "Hello, %{User-Name}" Run radiusd -X, try and authenticate and look at what is happening. Without wanting to confuse you too much, there is also a new EAP method called EAP-PWD which doesn't use any certificates. This has very limited support in clients at the moment so isn't very practical. It uses some crazy cryptography which avoids to need for certs. For some more background on deploying 802.1X have a read of this (http://www.ja.net/documents/publications/technical-guides/8021x-tg-web.pdf) Thanks Scott Armitage
signature.asc
Description: Message signed with OpenPGP using GPGMail
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html