Re: Is this possible?
>I want to use a freeradius server for the following purposes: > >- grant authorizaton to Cisco switches via LDAP (group membership checking, >etc). Yes. >- make a WIFI with WPA+802.1x via MS IAS/RRAS (the main auth is done by the >IAS, so the freeradius acts as client for IAS/RRAS, and the WIFI APs act as >radclients for freeradius) >- wired 802.1x via MS IAS/RRAS > Yes. Configure realm for IAS server in proxy.conf and freeradius as IAS client. [EMAIL PROTECTED] will then be proxied to IAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this possible?
Hi, I want to use a freeradius server for the following purposes: - grant authorizaton to Cisco switches via LDAP (group membership checking, etc). - make a WIFI with WPA+802.1x via MS IAS/RRAS (the main auth is done by the IAS, so the freeradius acts as client for IAS/RRAS, and the WIFI APs act as radclients for freeradius) - wired 802.1x via MS IAS/RRAS Is this possible in one server? Thanks, Viper - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Is this possible
You can setup pap authentication in freeradius and enable password authentication ( by setting $userpassword=1;) on your chillispot cgi login script. If you are using dd-wrt on your WRT54GL then you can also configure your box for firewall protection etc. You may have to ask this questions in chillispot forum. == Benjamin K. Eshun - Message d'origine De : YvesDM <[EMAIL PROTECTED]> À : [EMAIL PROTECTED]; FreeRadius users mailing list Envoyé le : Dimanche, 5 Août 2007, 9h53mn 23s Objet : Re: Is this possible On 8/4/07, Fred Zinsli <[EMAIL PROTECTED]> wrote: Hello everyone I am very new to freeradius and security type environments and I am feeling somewhat out of my depth at the moment. My current situation is that I have a chillispot WIFI setup. A diagram of the current network can be seen at http://www.shooter.co.nz/network.pdf Looks nice :-) The problem I have with this setup is that unscrupulous people are connecting to the unprotected APs without authenticating and playing games between themselves therefore bogging down our network with their traffic. Just wondering, that firewall (smooth1) is a smoothwall box? If yes, It's been a while since i've been playing with it, but I remember there was a chillispot mod for it.(check the homebrew forum) Just add an extra nic to that box and try it out. Your wireless will be completely seperated from the rest of the network too this way. Also, as already suggested, you can run chillispot directly from a WRT54GL (maybe WAP54G also, not sure) with alternative firmware, which is probably the most easy solution. ... Here is what I would like to do. When a user attempts to connect to the AP, the user is presented with a login screen (much like chillispot), the user logs on and they are connected to the AP and can use the network as expected. If a user cannot authenticate the attempt is logged and the connection attempt to the AP is dropped. That's easy, once you've set up everything, just enable auth. logging in radiusd.conf Kind regards, Yves _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is this possible
On 8/4/07, Fred Zinsli <[EMAIL PROTECTED]> wrote: > > Hello everyone > > I am very new to freeradius and security type environments and I am > feeling somewhat out of my depth at the moment. > > My current situation is that I have a chillispot WIFI setup. A diagram > of the current network can be seen at > http://www.shooter.co.nz/network.pdf Looks nice :-) The problem I have with this setup is that unscrupulous people are > connecting to the unprotected APs without authenticating and playing > games between themselves therefore bogging down our network with their > traffic. Just wondering, that firewall (smooth1) is a smoothwall box? If yes, It's been a while since i've been playing with it, but I remember there was a chillispot mod for it.(check the homebrew forum) Just add an extra nic to that box and try it out. Your wireless will be completely seperated from the rest of the network too this way. Also, as already suggested, you can run chillispot directly from a WRT54GL (maybe WAP54G also, not sure) with alternative firmware, which is probably the most easy solution. ... Here is what I would like to do. When a user attempts to connect to the > AP, the user is presented with a login screen (much like chillispot), > the user logs on and they are connected to the AP and can use the > network as expected. If a user cannot authenticate the attempt is > logged and the connection attempt to the AP is dropped. That's easy, once you've set up everything, just enable auth. logging in radiusd.conf Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is this possible
On Sun 05 Aug 2007, Fred Zinsli wrote: > Hello everyone > > I am very new to freeradius and security type environments and I am > feeling somewhat out of my depth at the moment. > > My current situation is that I have a chillispot WIFI setup. A diagram > of the current network can be seen at > http://www.shooter.co.nz/network.pdf > > The problem I have with this setup is that unscrupulous people are > connecting to the unprotected APs without authenticating and playing > games between themselves therefore bogging down our network with their > traffic. > > So what I am wanting to do is dispose of the chillispot server and > authenticate the users directly from the APs (WAP54G) using WPA- > Enterprise. Putting chillispot on each individual AP is also a possibility.. > WPA-Enterprise on the WAP54G is radius authentication with > a WPA shared key between the AP and the radius server. > > I have got the APs talking to the radius server, but it seems the radius > server is using the credentials from the PC to authenticate the users. Thats what it is designed to do. > Here is what I would like to do. When a user attempts to connect to the > AP, the user is presented with a login screen (much like chillispot), > the user logs on and they are connected to the AP and can use the > network as expected. If a user cannot authenticate the attempt is > logged and the connection attempt to the AP is dropped. If you want a web based login screen use chillispot or something similar. If you want to use a PC based supplicant, then WPA is the correct solution.. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this possible
Hello everyone I am very new to freeradius and security type environments and I am feeling somewhat out of my depth at the moment. My current situation is that I have a chillispot WIFI setup. A diagram of the current network can be seen at http://www.shooter.co.nz/network.pdf The problem I have with this setup is that unscrupulous people are connecting to the unprotected APs without authenticating and playing games between themselves therefore bogging down our network with their traffic. So what I am wanting to do is dispose of the chillispot server and authenticate the users directly from the APs (WAP54G) using WPA- Enterprise. WPA-Enterprise on the WAP54G is radius authentication with a WPA shared key between the AP and the radius server. I have got the APs talking to the radius server, but it seems the radius server is using the credentials from the PC to authenticate the users. Here is what I would like to do. When a user attempts to connect to the AP, the user is presented with a login screen (much like chillispot), the user logs on and they are connected to the AP and can use the network as expected. If a user cannot authenticate the attempt is logged and the connection attempt to the AP is dropped. This way a user cannot just blindly connect to our network and use bandwidth. Is that type of configuration possible? and if so where would I find information on how it is done? Many thanks in advance for you patience and comments. Regards Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is this possible ?
"Tim Winders" <[EMAIL PROTECTED]> wrote: > OK! I've looked through the docs and don't see how to do this. I can > really use this capability. Very cool! > > Can you point me to a /doc or URL where this is explained? rlm_exec, and scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: is this possible ?
> Yes, You can execute any program you want from FreeRADIUS, and that > program can return add any RADIUS attribute to the reply. Stealing someone else's thread... OK! I've looked through the docs and don't see how to do this. I can really use this capability. Very cool! Can you point me to a /doc or URL where this is explained? --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the "Sign" button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is this possible ?
TK Lew <[EMAIL PROTECTED]> wrote:
> handset --> authenticated successfully --> Steelbelt radius forward
> accounting packet to Freeradius and the application will the a lookup
> for MSISDN that match the IP address before allow the handset to use
> the services.
>
> Is this possible ??
Yes, You can execute any program you want from FreeRADIUS, and that
program can return add any RADIUS attribute to the reply.
> I have tried to use the variable such as %{Calling-Station-Id} in the
> access-repky message but no values assign.
See the debug log for why.
Also, it might help if you posted the configuration. Saying "I did
stuff and it didn't do what I expect" means that it's impossible for
anyone to help you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is this possible ?
hi :
I am not sure that anyone have done this before ::
We have a customer using Steelbelt radius that forward accounting
information to the freeradius server. We can receive the accounting
packet and stored it successfully.
But the problem is we have another application that will do a mapping
from IP address to MSISDN. In order to do the mapping from IP to
MSISDN , the application need to talk?? to a radius server that have
the information (that means freeradius that receive the accounting
packet). The flow is below ::
handset --> authenticated successfully --> Steelbelt radius forward
accounting packet to Freeradius and the application will the a lookup
for MSISDN that match the IP address before allow the handset to use
the services.
Is this possible ?? The application managed to authenticate itself
successfully with Freeradius but I just cannot send the matching
MSISDN back to the application.
I have tried to use the variable such as %{Calling-Station-Id} in the
access-repky message but no values assign.
Any helps ?
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is this possible?
You will need to either use TTLS with PAP or proxy the radius Request to microsoft IAS. Ron Wahler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 11, 2005 10:30 AM To: freeradius-users@lists.freeradius.org Subject: Is this possible? I have a project to enable 802.1x on our HP ProCurve switches. The backend DB will be Active Directory (read disease). The clients will be Windows XP. My project requires: EAP - This comes from the ProCurve as I can use CHAP or EAP, and CHAP will not work. Windows XP workstations - we don't want to have to install certs on each machine. Active Directory integration. I am sure this can be done if I use certificates on the client, but we want to avoid this. Is this possible? If so, can anyone share a working config? Thanks, Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this possible?
I have a project to enable 802.1x on our HP ProCurve switches. The backend DB will be Active Directory (read disease). The clients will be Windows XP. My project requires: EAP - This comes from the ProCurve as I can use CHAP or EAP, and CHAP will not work. Windows XP workstations - we don't want to have to install certs on each machine. Active Directory integration. I am sure this can be done if I use certificates on the client, but we want to avoid this. Is this possible? If so, can anyone share a working config? Thanks, Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
