Domain: freeradius.org
Stories and comments across the archive that link to freeradius.org.
Comments · 23
-
Re:Will enterprise still be a clusterfuck to setup
If someone could figure out a way to create an easy to implement, reasonable cost WPA enterprise-as-a-service they would literally print fucking money. Bonus if you could tie it in to an SSO service.
They did, it's called FreeRADIUS.
The only thing missing is a Wizard to set up the server, and a easy way of getting the certs installed on endpoint machines.
Smart devices work perfectly fine. Just install the cert and go.
Windows needs GP to do this without seeing windows' ugly side. A.K.A. Non-descriptive Dialog boxes and random GUI widgets need to be set correctly.
Most linux distros are crap as NetworkManager loves trying to install the certs as per-user certs, and mandates that any keys be password protected with the password stored in the user's keyring. (Which if they have access to the physical storage media, putting a password on the file isn't going to do jack, but network manager's devs refuse to realize this...) The alternative is to manually configure WPA supplicant's config file assuming you can do so, as many distros don't include it anymore as it's auto configured via DBUS from NM.
Chromebooks require a convoluted set up that has a PKI only signing a cert request made on the individual device. That is to say the Chromebook generates a CSR and then submits it to a signing server to create the cert it will use to connect, it will then use that cert until it expires after which it will generate a brand new CSR and key because we can't allow more than one signing attempt by the TPM generated and sealed private key. Also did I mention you have to write the extension for Chrome to be able to do this? And Deploy it via an enterprise policy set in GSuite? No you can't just install the extension from the Chrome Store, it has to be pushed via forced install otherwise it lacks the permissions needed to access the TPM to generate the CSR. BTW, You can't use your own pre-made certs. Why? Well that would give too much power to an Admin and they just couldn't handle it. Heck an Admin wouldn't know what to do with such power! You had best thank the Chrome developers for being such generous handholders and giving Their guidance to you on this huge ordeal.
So it's not so much the server as it is the clients that need the most help. My greatest recommendation would be to fire the existing developers and get some competent people in there to fix the mess.
-
PEAPv0/EAP-MSCHAPv2
Whilst the captive-portal system where you login via a HTML form seems to be popular (perceived ease of use?), you can also do per-user password authentication at the WiFi level.
All you need is a AP that supports EAP (or Enterprise) WPA (all good ones will), and to setup a RADIUS server (http://freeradius.org/) to handle the actual authentication.
Personally this is much cleaner (AP isn't listed as unsecured, you don't have to wait for the redirection to the portal which is inevitable slow and doesn't work at all if you are using email not a web browser). -
Re:And where does Google get its information from?
Funny, reading Slashdot, I found multiple ways of setting up mesh networks for wireless ( given it's 2 years old, but it's a research point ) and then I googled the idea for a simple large wireless network, for 500 users, and a front end security for the guest.
a simple free Radius server http://freeradius.org/ by the way, there might be a a way to integrate it to you Point of Purchase software
there is multiple research ideas about Hotspots which could be usable
given I have not looked at the routing issues but I know that's covered
-
Another shameless plug: FreeRADIUS
FreeRADIUS is among the rejected applicants for SoC, but there are some interesting projects in there anyway. For a list, take a look here: http://www.freeradius.org/summerofcode/ One example is a TLS security layer and TCP/SCTP transport for RADIUS messages ("RadSec"), which is a leap ahead in authentication protocols.
-
It's a Win-Win situation
Most businesses would be insane to rely on open source programmers to develop their software for them... that's why many of you reading this still have a job developing commercial software or in-house homegrown software. They give you money, you develop software that they want.
I get paid to develop in-house software. To save time and money, my boss has chosen that we take a bunch of Open Source projects (such as FreeRADIUS, ChilliSpot, and Zebra) and build on top of them. While putting the pieces together, we (the programming team) found bugs in these software, and missing features. And because we have a strong incentive to get things fixed/written (deadline!), so we reported bugs promptly, and helped fixing them. We also helped started writing the features that we want.
In the end, we are able to produce a much more robust, solid product, in much much less time + money, because we were building on top of the Open Source projects. And during the development stage, these projects also benefit from us in forms of bug fixes and new feature implementation, and at the end, we even convinced our accounting department to give some donation (tax write-off!) to some of the projects.
I'd say it's a win-win situation.
-
Re:Go ahead, block 25
Ever heard of radius? What's so damned hard to implement?
http://www.freeradius.org/faq/ -
hmm
-
Re:PRoblem is I only have wep
Implement radius! Unfortunately, I don't think most consumer level access points let you use a NAS to control authentication.
-
Re:WPA support
Open1x
Haven't used it myself but I have looked at it. It uses FreeRADIUS, which authenticates against LDAP or various SQL databases. -
A bit of a shame...
I personally would have liked to have seen MS play a little bit harder in the Wireless space. Combined with their Kerberos implementation, we could have seen a commodity EAP-TLS system that worked out of the box. Boom! All of your wireless security concerns gone.
And no....don't talk to me about open-source here. I''ve played around with building an EAP-TLS system with Free Radius and after two days of solid effort it still wasn't working.
A real shame that opportunity has been missed. -
Radius
With my work, I have hostapd set up with a radius server for authentication. I specifically use x.509 certs, but you could probably use leap, or some other 802.1x.
-
Re:Security optionsI didn't see anything on the OpenRadius site that indicates that package will do EAP authentication over RADIUS which is a requirement for doing 802.1x. Freeradius has some support for EAP authenticaiton in CVS, but I've not gotten it to work properly yet. Hopefully it will settle down soon, I would very much like to start using it on my home network.
If you have some money to throw at the wireless security problem, I would suggest looking into the Odyssey server from Funk software. It's much easier to setup then either Cisco ACS or Microsoft IAS and doesn't require a server version of Windows to run on. Microsoft's IAS has a passable implementation of PEAP, but the EAP-TLS implementation is clumbsy at best.
On the client side, the PEAP suppliant built into windows XP is adequate and is backported to Windows 2000 (and Me?) as a patch. The Open1x project looks promising for the *nix crowd. I haven't tested it yet since all my Linux boxes are wired.
-
Re:That's nuts
Just because the SSID is default/broadcasted doesn't mean anything special. What's special is that there's no other security enabled on your neighbor's AP's. It also appears you are connecting without any WEP or watnot on your own wifi lan, as well, if you're connecting to your neighbor's APs or you have more than one profile set up. I think you can create a preferred profile.
With MAC adress filtering and 128-bit WEP, the difficulty in hacking that wifi is somewhat prohibitive unless the hacker has unlimited time to do it, ie townhome/apartment/close neighbor, default SSID or not.
Some tips I'm sure a lot of you already know: turn down your signal to the lowest setting you need for your home. Stop broadcasting your SSID. Filter MAC addresses. Add in 128-bit WEP and change your WEP key regularly. If you really want to be a *lot* more secure, use a Cisco 350 AP + client cards (or some similar Radius/LEAP enabled hardware) and set up a Radius server.
Here's a good how-to. -
FreeRadius+xsupplicant+Orinoco AP500 = no workee
About six months ago I tried top get 802.1x to work with FreeRadius and Xsupplicant using and Orinoco Ap500 and and Orinico Gold PCMCIA card under Linux. I couldn't get it to work, though I think it was due to misconfiguation of the Ap500. No attempt to contact the RADIUS server was ever made.
I gave up and went with IPsec, which worked for my needs.
-
Use RADIUS
Another way would be radius for authentication, which appears to be the articles focus. That's very popular for authication, including growing interest from the wireless operator space. See Free Radius for one such implementation.
-
Re:Open: FreeRADIUS Closed: Steelbelted RADIUSJust my
.2 cents:We just tested a steel-belted radius (funk(r)) working with Iplanet (Sun(r)), and go about 600 processed radius requests per seconds, which is largerly enough for you.
I'm not disclosing the full study here (wanna keep my job, guys), but since radius is mainly network/cpu intensive, and because any Database is througput intensive, it make sense to split them over two boxes and to tune those boxes differently.
Besides, it helps if you ever want redundancy, which is probably quite desirable as an ISP.Which raises a question: what LDAP implementation are you using ?
Another point: why use a stacking of DB, like [Whatever]LDAP over [Whatever]SQL, it is just a waste of ressources, because an LDAP schema is not made to fit into a relationnal database.
Stick to Radius/Ldap, and test your prototype performance. Here is a free test scripts, though I do not know if it will work with your choice of radius.
-
FreeRadius + MySQL
Freeradius comes with a SQL module to do authentication and accounting through MySQL, PgSQL, etc. My team uses it quite a lot at my place of employment...we ended up using it to replace a SafeWord installation and everybody has been very happy with it.
See Here for more info on the SQL module.
We also ended up using phpMyAdmin to administrate the adding/removing of users, groups, & other attributes.
ryanc -
Linux radius
If you're smart enough and technically inclined enough to have a RedHat linux box to run this program on why not just run FreeRadius instead? It would seem to me that it would be better just to have a good authentication protocol and real security rather than just splatter crap all over the radio instead.
-
Authentication and Billing
With most APs now supporting 802.1x, authentication and billing, not to mention additional security, is quite easy to achieve. Look into 802.1x and various implementations of EAP which requires wireless users to authenticate with a RADIUS server. In the case of Cisco's implementation of EAP it's trivial to setup however for the most part if the AP supports 802.1x you can choose serveral different EAP implementations. Some suck (Microsoft's implementation is x.509 based and requires Active Directory) others as simple as specific client software and then the RADIUS server. This takes care of accounting too so you can track users bandwidth usage. Cisco's RADIUS server is called SecureACS and support's Cisco's APs in for EAP-Cisco (LEAP) which is one of the better implementations as several other vendors are started to say they will support it. Funk Software also has Odyssey which supports EAP-TLS (Supported by XP) and EAP-TTLS. TTLS is WAY easier to manage but not as easy as the Cisco solution. You can check out FreeRadius which supports both EAP-TLS and EAP-MD5.
For a general overview on 802.1x security check out the 802.1x Blackpaper at ArsTechnica.
I just finished designing a LEAP (EAP-Cisco) implementation for a customer of mine only a few weeks ago. The ArsTechnica blackpaper is a pretty good read for someone who doesn't do this very often.
The biggest benifit to all of this outside of the authentication is the RADIUS billing. This way you can very easily enforce bandwidth caps.
Enjoy.
Syn Ack. -
LDAP + Cyrus + PAM
The site here describes how to create an Exchange replacement. If you want to use RADIUS you can probably find a PAM-RADIUS module to substitute for PAM-LDAP, or conversely replace your Radius server with a FreeRADIUS instance which can be backed by the LDAP server.
For moving users, enable the LDAP directory service on the Exchange server and you should be able to script (or find) some LDAP-to-LDAP migration tools. At worst, do a full directory search and massage the data into an LDIF file to be imported. Moving the mail data would be harder but I imagine something could be rigged up using the Exchange IMAP service, fetchmail, procmail and the Cyrus deliver command.
If you can find a BackOffice resource CD you should be able to create a way to access the Exchange store without even going through the LDAP and IMAP services. -
Why I Write Code for FreeI'm one of the authors ( well, I contribute code and answer questions on the users mailing list ) for FreeRADIUS.
I do it because the equivalent commercial products suck. They are overpriced ( to the tunes of thousands of dollars ) and not as feature rich. Working for an ISP providing dialup services, having a functional Radius server that is scalable, reliable, and most of all, easily modified is paramount to the success of our business.
So, I get paid by my employer to write code that ends up under the GPL in the server. The entire world gets a killer server for a great price. And my employer gets the benefit of a larger array of "virtual programmers" who are constantly reviewing and improving the code. It's a shared development cost more than anything else.
Plus, I like writing code, and I've gotten to interact with people from all over the world as they use the server.
My 2 cents anyway. Others have probably said it better than I, but this is why *I* write code and give it away.
:) -
linux works fine with securid radiusIf your securid server has the radius option installed (most do, but it is an option), you can use pam_auth_radius to authenticate on linux.
This is not the same as pam_radius, which only does accounting, not authorization.
I found pam_auth_radius at www.freeradius.org but that version uses random sequence numbers, and the securid server is picky about duplicate requests, so you'll have people rejected for no reason from time to time.
I fixed that in our version, but I haven't sent the patches back yet - you can get this fixed version at http://www.zip.com.au/~crisb/
We use it with ssh - (there's a rough
/etc/pam.d/ssh in the tarball) - On solaris we just compile ssh with the securid native library, but, as you've found, there isn't one for linux yet. Please pester Security Dynamics, the more the better!Cris
-
Configs Of My Dreams(sorry if it has been posted before - can't read all the discussion)
Ideal Solution to Unix Config Trouble(TM)(IMHO!):
- one stardatized "config language" - may be XML but personally I like BIND-style with {} & indents, it's easier to read and understand -and to edit with CLI tools
- NB! open-sourced (of course) conf-parsing lib - to be used in new projects, let alone old ones
If I was a real programmer I would extract it from BIND source and generalize enough to make it eligible for always busy FreeRadius folks - right now they need a new config-parsing engine, nobody wants those old ugly "users" files... - compatibility tools - to convert new-style configs into old-style (I'd love to write one for apache)
- general GUI tools to edit configs as menus and so on - for experienced users who understand what they're doing
- application-specific GUI tools like linuxconf logging everything they do to the configs - for newbies (and those logs - for theirs gurus)
- or maybe WebMin clone + application-specific modules which write configs in common config language (see above
:) - more programmers to port old programs to new config style
And we need much better config repository than
/etc !
The idea of the registry is not so bad after all if we do some virtual file system of itwe have procfs and devfs - why not conffs?