[RADIATOR] Load balancing EAP
Hello Group, I have been asked to investigate the possibility of using our F5 load balancers in our wireless infrastructure. We currently have 2 large servers and load balance using the EAPBalance handler. We currently allow the PEAP and TTLS EAP types. Our goals are: 1. With multiple servers behind the load balancers we will be able to remove one from use for maintenance without impacting service. 2. We also hope that we may be able to have a single SSL cert so that when the next HeartBleed like event happens updating certs on 2 servers won't have our user base freaking out. Any incites or advice - or tell me I am stupid - is appreciated. Thanks, Barry -- Barry Ard barry@ualberta.ca IST University of Alberta Edmonton, Alberta Canada ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radius proxying to Microsoft NAP/NPS server
Hello Markus - Yes this is possible and yes it has been done successfully. You just need separate Handler’s with the corresponding AuthBy RADIUS clauses. regards Hugh On 20 Jun 2014, at 07:43, Markus Moeller wrote: > Hi, > > has anybody used Radiator as a proxy Radius server for Microsoft NAP. I > have WLAN setup with multiple SSIDs and would like to send the radius > requests for SSID COMPANY1 to NPS server 1 and for SSID COMPANY2 to server 2 > ( e.g. company 1 has a set of NPS rules different to company 2). One reason > to do this would be to check on machine through a NPS policy/certifcate and > user via smartcard at the same time so I can correlate the two (e.g. allow > company 1 user smartcard login only from COMPANY1 machines) . > > Does that make sense ( assuming a Windows laptop environment ) ? Is there a > better way to do this ? > > Thank you > Markus > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radius proxying to Microsoft NAP/NPS server
Hi, has anybody used Radiator as a proxy Radius server for Microsoft NAP. I have WLAN setup with multiple SSIDs and would like to send the radius requests for SSID COMPANY1 to NPS server 1 and for SSID COMPANY2 to server 2 ( e.g. company 1 has a set of NPS rules different to company 2). One reason to do this would be to check on machine through a NPS policy/certifcate and user via smartcard at the same time so I can correlate the two (e.g. allow company 1 user smartcard login only from COMPANY1 machines) . Does that make sense ( assuming a Windows laptop environment ) ? Is there a better way to do this ? Thank you Markus___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP
On 06/19/2014 01:48 AM, Michael Rodrigues wrote: > I've been searching around the list and the Internet trying to figure > out how a wireless client can verify the hostname of the SSL cert > provided by Radiator through the NAS as an SMTP or HTTP client would, > but I can't seem to find anything insightful. I'm not concerned with how > the client uses the SSL chain and its included CAs to verify the cert > cryptographically. Since your organisation is an educational organisation, you may want to check the eduroam documentation for these issues. For example: https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations A tool such as eduroam CAT helps with these issues. > For one, the client doesn't have Internet to make a reverse lookup until > they accept the cert. Yes, and even if it could do a reverse lookup, what would the answer be useful for? I understand the problem you are thinking about and the doc referenced above talks more about this. > Second, even if they were allowed DNS before authentication, someone > controlling the network could easily catch and spoof the reverse lookup > reply to make their cert look legitimate (assuming it was > cryptographically legitimate). Yes, but as you noticed, there's no connectivity before the certificates are used. And I'd say it is not possible because of how 802.1X works. > I'm doing some development/testing and I notice that iOS and Windows 8 > seem to see my certificate as valid but not "verified". I setup a PTR > record to match my host and cert name but it didn't seem to make any > difference. I monitored tcpdump while authenticating from OS X and I see > no PTR requests I'm not surprised. There's really no useful answer that can be expected even if DSN queries were made. A usual case is that the client initially has no IP address and EAPOL is used directly over the LAN. So there's no IP connectivity to make DNS queries and no peer IP address to verify with a DNS PTR lookup. > I realize each client can have a different implementation. Is it even > possible to legitimately verify a certificate hostname for clients using > PEAP and EAP? I'd like to be as secure as possible without resorting to > client-side certificates. See eduroam CAT and the docs eduroam folks have created. I think they would be very useful to you especially if you are considering adding eduroam connectivity. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone
On 06/19/2014 12:46 AM, Imanol Fuidio wrote: > I have repeated the test on an iphone with IOS7 configuring a TLS > profile with the CA in der format. The same problem. > The log is also in https://gist.github.com/ifdm001/57c03984282f33406aec Maybe you could try with the certificates that come with Radiator? See the certificates/ directory in the distribution. Those certificates have been used with EAP-TLS, so they could help building an initial working configuration before switching to different certificates. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator