Re: Freeradius + MySql + Wireless Clients without certificates
Hi, > I agree for the most part. However, captive portals will still be in > use for guest access. There's less administrative and helpdesk overhead > for this type of deployment. > > On windows machines, the CA/cert trust has to be explicitly enabled. > This can be a barrier for un-managed and non-employee machines. so visitors get a nice easy coffee-shop way onto the network whilst employees have to suffer the wrath of 21 steps of PEAP hell? nah. thats just not fair. there are several tools developing nicely which make getting onto an 802.1X network nice and easy for all peoplestaff, students or visitors - eg Cloudpath and su1x - with these, there is no nasty CA/cert trust for a visitor to deal with. and if they cannot get onto the supplied network, then theres always a commercial link or 3G dongle option (most modern 'road warriors' have eg 3G dongle or MiFi in their pocket to avoid stupid wifi charges at hotels ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/14/10 11:38 AM, Alan Buxey wrote: > Hi, > >>> I´ll like to know if there is a way to configurates a Radius server + Mysql >>> to authenticate Wireless clients via a Cisco AP without certificates (EAP >>> TLS), only a username and password > > yes. we use Cisco APs - we used to use them in autonomous mode but moved to > the > lightweight LWAPP (now CAPWAP) mode a few years back. > > I would not recommend broken captive portals. 802.1X is the way forward > (and is now beign mandated by several government and education procurement > systems around the world - expect any half-decent auditor to pick up on this > too. > for EAP, you can use EAP-PEAP or EAP-TTLS - in which your RADIUS server > has a certificate signed by a CA. the clients dont need certificates, they > just need to have the CA on them that signed the RADIUS server (for trust!) I agree for the most part. However, captive portals will still be in use for guest access. There's less administrative and helpdesk overhead for this type of deployment. On windows machines, the CA/cert trust has to be explicitly enabled. This can be a barrier for un-managed and non-employee machines. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPxQUACgkQ0l216NgIDryV7ACfdCwwbjP6y4dWsNUOQS0x5woK JQ4Amwa3WK5kSoGHvzX1FPiUxJp1cQt9 =opmK -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi, > > I´ll like to know if there is a way to configurates a Radius server + Mysql > > to authenticate Wireless clients via a Cisco AP without certificates (EAP > > TLS), only a username and password yes. we use Cisco APs - we used to use them in autonomous mode but moved to the lightweight LWAPP (now CAPWAP) mode a few years back. I would not recommend broken captive portals. 802.1X is the way forward (and is now beign mandated by several government and education procurement systems around the world - expect any half-decent auditor to pick up on this too. for EAP, you can use EAP-PEAP or EAP-TTLS - in which your RADIUS server has a certificate signed by a CA. the clients dont need certificates, they just need to have the CA on them that signed the RADIUS server (for trust!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
On 09/14/2010 11:53 AM, Esteban TALAVERA wrote: Thanks Is an autonomous AP. I'll try Freeradius+MySql+EAP-TLS schema. Huh? What's that? As has been pointed previously you must have a server cert if you're doing TLS. In addition the server cert should be signed by a trusted CA and the supplicant should validate the cert (anything less would be a ridiculous security risk). No amount of fudging the server configuration is going to magically modify the fundamental requirements of TLS. If you don't want to set up a server cert forget about supporting PEAP, EAP_TLS, etc. (which means most Windows clients will not work). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Thanks Is an autonomous AP. I'll try Freeradius+MySql+EAP-TLS schema. On Tue, Sep 14, 2010 at 11:06 AM, Kevin Ehlers wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 9/13/10 3:40 PM, Esteban TALAVERA wrote: > > I´ll like to know if there is a way to configurates a Radius server + > Mysql > > to authenticate Wireless clients via a Cisco AP without certificates > (EAP > > TLS), only a username and password > > Are you using an autonomous AP or a lightweight AP with a controller? > If you have a controller, you can do webauth. For webauth, the only > certificate required is the one for https/ssl. If it's an autonomous > system, then you could place clients on a vlan and make them go through > and authentication gateway. > > - -- > Kevin Ehlers > Network Engineer > University of Oregon > -BEGIN PGP SIGNATURE- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkyPlnEACgkQ0l216NgIDrz+fgCbBMTmrFDjUhQlouJou4OQh0k8 > DaYAoJO9fdCQotSdyBKWdv7xdUbflexR > =3Lam > -END PGP SIGNATURE- > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/13/10 3:40 PM, Esteban TALAVERA wrote: > I´ll like to know if there is a way to configurates a Radius server + Mysql > to authenticate Wireless clients via a Cisco AP without certificates (EAP > TLS), only a username and password Are you using an autonomous AP or a lightweight AP with a controller? If you have a controller, you can do webauth. For webauth, the only certificate required is the one for https/ssl. If it's an autonomous system, then you could place clients on a vlan and make them go through and authentication gateway. - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPlnEACgkQ0l216NgIDrz+fgCbBMTmrFDjUhQlouJou4OQh0k8 DaYAoJO9fdCQotSdyBKWdv7xdUbflexR =3Lam -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Thanks, yoy're rigth. I'ill continue this way, the problem is not the "effort", but I was trying to complete the picture Freeradius+MySql+EAP_TLS+Cisco AP without success. Keep trying... On Tue, Sep 14, 2010 at 5:25 AM, Alan Buxey wrote: > Hi, > > > I´ll like to know if there is a way to configurates a Radius server + > Mysql to authenticate Wireless clients via a Cisco AP without certificates > (EAP TLS), only a username and password > > err, EAP needs certs..thats a fundamental building block. the RADIUS server > needs to be signed by a CA > and the client needs to have that CA installed onto it. you can make things > easier by getting your RADIUS > server signed by a CA that is built into most of your clients - eg get a > thawte or verisign signed cert. > > its a BAD BAD thing not to enable radius server checking and CA checking on > your client. the > public key infrastructure is a major part of the security of 802.1X and if > you thinks its 'too much effort' > then I'll show you a nasty man-in-middle fake AP and radius server that > will get all your users usernames > and passwords. all run in a 512Mb VM on a basic laptop :-( > > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi, > I´ll like to know if there is a way to configurates a Radius server + Mysql > to authenticate Wireless clients via a Cisco AP without certificates (EAP > TLS), only a username and password err, EAP needs certs..thats a fundamental building block. the RADIUS server needs to be signed by a CA and the client needs to have that CA installed onto it. you can make things easier by getting your RADIUS server signed by a CA that is built into most of your clients - eg get a thawte or verisign signed cert. its a BAD BAD thing not to enable radius server checking and CA checking on your client. the public key infrastructure is a major part of the security of 802.1X and if you thinks its 'too much effort' then I'll show you a nasty man-in-middle fake AP and radius server that will get all your users usernames and passwords. all run in a 512Mb VM on a basic laptop :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Marten You mean configuring freeradius for EAP-PEAP its not necessary to creates certificates? Its possible to use with CISCO AP as NAS? Thanks On Mon, Sep 13, 2010 at 6:23 PM, Marten Pape wrote: > Hi Esteban, > this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. > > Regards, > Marten Pape > > Esteban TALAVERA schrieb: > > Hi > > I´ll like to know if there is a way to configurates a Radius server + > Mysql to authenticate Wireless clients via a Cisco AP without certificates > (EAP TLS), only a username and password > > > > Thanks > > -- > > *Esteban Talavera* > > > > -- > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Esteban, this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. Regards, Marten Pape Esteban TALAVERA schrieb: > Hi > > I´ll like to know if there is a way to configurates a Radius server + > Mysql to authenticate Wireless clients via a Cisco AP without > certificates (EAP TLS), only a username and password > > > > Thanks > > -- > > *Esteban Talavera* > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html