Has anyone implemented a RADIUS server and / or IAS to authenticate a wireless network?
If so how easy is it to implement and run. Are there any security issues that need to be addressed beforehand to allow smooth running?
Would a linux RADIUS be best or are the switch variety better?
What about IAS on Server 2003?
Just a few questions to assist me in whether to set one up instead of standard encryption.
If anymore info available please feel free to post. The more the better.
Theres a discussion here on encryption and various radius implementations.
W2k3 Server + IAS works but its a pig to do. There's an MS whitepaper you can follow to do it.
http://www.microsoft.com/technet/pro...y/ed80211.mspx
Linux is simpler (from my POV). FreeRadius is what does the business.
http://www.freeradius.org/doc/EAPTLS.pdf
CrhisH - Thanks for the heads up and sorry to re-post for old info.
Geoff - cheers for that info too. I have never really used Linux, but i will look into it as i have been wanting to get into Linux for a while.
We use Server 2003 with IAS to authenticate all of our wireless clients. After some unsuccessful experiments with certificates, we decided to use PEAP for authentication. The advantage (to us) is that machines with Active Directory computer accounts authenticate themselves.
Laptops which are not domain members are prompted for a domain username and password to connect to the wireless network.
Sounds good slartibartfast. How difficult was IAS to set up initially? I am not in control of the DCs so it would be left to someone else to do.
I would like the option of knowing how to do both IAS and RADIUS authentication and have some information on problems some people have had with each so i can then go down the path with least resistance, hence the questions.
Slarti: Hey mate not far from me in little ole watton. Scalable and secure wireless is what I've been looking at for a while would love to see your setup and if you give some pointers on IAS setup that would be cool I've seen all the M$ stuff on using PKI's etc... but it's way too complicated.
The other alternative is Elektron from Corriente which is a simple install to give you a radius server for authenitcating wireless clients with a certificate so they can authenticate the server.
Trouble is atm Elektron only gives user authentication and not machine so domain users cuoldn't log using the wireless as the secure connection is only bought up after they have logged in.
Ben
I'd settled on PEAP as the most likely candidate for when we do wireless "properly" (currently we only have one AP used in anger).Originally Posted by Slartibartfast
Your last statement about being able to connect to the wireless network with any old laptop logging in via a user account has me a bit worried though. Is that because users can add upto 10 computers to the domain by default or is it something different? Is there an easy way to stop that behaviour so that we don't get plagued by rogue laptops riddled with viruses and hacking tools?
I think he means that a domain computer can connect to the network using it's computer credentials but a laptop thats not part of the domain would be asked for a username and password to be entered before it's allowed access this would be the persons username, domain and their domain password if they are all correct then access is allowed.
Ben
Yeah, that's how I understood it. Unfortunately that would allow any pupil with their own non-domain-member laptop to connect to the wireless network from anywhere on the site, which currently isn't acceptable for us. At least with wired connections we can tell which wall socket they're plugged into and go and ask them to pack it in. With large-scale wireless they could even be in the car park or a nearby house.
Yes they could but then you make it so that they can't log in and it's only domain computers or allowed mac adresses or some other scheme to prevent it thats just how he has it configured.
Ben
If its IAS RADIUS autenticated, surely you could restrict authentication to certain users or groups? If you're not on the list, you can't get in
I have set up IAS for wireless. It works quite well, the only tedious bit was getting certificates onto the clients for authentication. You can use IAS policies to restrict the logons to certain user groups.
Recently i've been looking at Linux for this. Playing with replacing firmware on the AP to do extra fun stuff.
Perhaps people would be willing to write a HOWTO guide for how they set their implementation of IAS/FreeRADIUS/woteva up?
I have set up a wiki page for this purpose at http://www.russdev.com/edugeek/doku.php?id=wifisetup - happy wiki-ing!
There's an IAS remote access policy in place to prevent this.Unfortunately that would allow any pupil with their own non-domain-member laptop to connect to the wireless network from anywhere on the site, which currently isn't acceptable for us.
Exactly. User accounts need to be a member of a specific group to authenticate.If its IAS RADIUS autenticated, surely you could restrict authentication to certain users or groups? If you're not on the list, you can't get in
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote