radius with guests

[strawberry]

I've just set up radius to authenicate using ad to check computer accounts.

Can anyone recommend away of getting guest computers onto and off the wireless easily?

[Geoff]

Do your Wireless AP's support VLAN isolation? If they do, use that. Instead of getting no connection at all they will be put in this seperate VLAN where you can grant access to whatever specific systems you want (I'd guess internet access?)

If you have cheap APs that don't do this, check if you can flash them with OpenWRT. You can get the functionality that way.

Failing that, no.

[strawberry]

drat!, would creating a dummy computer in AD be enough for radius to authenticate?

(sorry to ask a dumb question, i dont have a laptop to test it on atm)

[Geoff]

No, the computer needs a valid account in AD to be able to authenticate. If you've not done the 'add computer to the domain' thing locally on the machine it wont have the required cryptographic credentials to authenticate.

Basically, you have to add the machine to the domain for the radius authentication to be successful. That's the whole point.

[User3204]

We have multiple RADIUS authentication rules.

One which allows a list of Laptop computers;
One which allows a list of Users;

If you copy the rule that you use for the computer authentication, but apply it to a group into which you just put the "extra" users (which would have to be created in your AD). You would also have to change some of the logon/authentication on the laptop, there's a tick box that is something like "user logged on username" and "authenticate as computer" which will have to be changed.

Then when the laptop/user attempt to connect they get a message about more credentials needed, and they have to type in username / password / domain.

-- This is from memory, but I can the details check on friday.

[strawberry]

thanks user, that would be great, i've managed to do it with my pda by importing a certificate (which i'm happy to manually put on said laptops) so i know something is possible.

[strawberry]

fixed! if anyone wants to know how feel free to pm me.

[plexer]

Please post the details of what you did in order to help people searching in the future.

Ben

[m25man]

You can use MAC addresses in a Radius Authentication Policy too..
This useful for locking switch connections down.
Especially in halls of Residence and the likes.
Stops people connecting unauthorised devices to you LAN outlets or AP's

[contink]

Please post the details of what you did in order to help people searching in the future.

Ben

Seconded... Having someone post up a "Hey I know PM me to find out" is counter to this forums whole purpose isn't it..

Grr... sorry but having all sorts of fun with wireless and this nugget would have been a {deity} send.

FWIW (and I'd appreciate a little feedback on this)... I've got a second rule in the RADIUS server which uses these rules:

- Windows group matches Domain Staff (ie: user is in a specific security group we want to be able to use this)
- No other changes in the profile

On the client machine setup the wlan manually with these settings:
- WPA
- TKIP
- Auth as protected EAP (as setup in the RADIUS originally)
- Untick the "authenticate as computer when... " box
- In properties Untick the "Validate server certificate" (you should really be installing the cert on the machines you want to use this with though!)
- For "Select Auth.. Method" choose the EAP-MSCHAP v2
- In Configure > Untick the "Automatically use my Windows logon name.." as you doubtless want to authenticate manually
- OK everything and it should work unless I'm missing something.

You should then, when you try to connect get a login request for Username, pass and domain... Took a few moments to get it working for me but it is now.


Of course the downside to all of this is that you have to manually handle most of this.



Now, if anyone knows how to allow a WPA-PSK through using RADIUS then that would be great... *smiles sweetly*