Questions[radius](server)

We do have a Google Apps domain and we want to configure a Radius server in order to allow people to login to our corporate WiFi or VPN using their corporate credentials (Google Apps).

To make the issue even more complex, we already have 2FA enabled for our Google Accounts. Still, if that would be a blocker we could ask people to use application-passwords for this purpose in order to avoid the 2FA issue.

So far I tried to use https://github.com/layeh/google-apps-radius and it did pass the radtest but it failed to work with our UniFi AP. While I contacted the vendor for details I am looking for alternatives in case this Radius server cannot really work. We are also considering hosted solutions.

As I understood EAP-TTLS and PEAP share same level of security when implemented in wireless networks. Both only provide server side authentication via certificate.

The drawback of EAP-TTLS can be non native support in Microsoft Windows so every user has to install additional software.

The benefit of EAP-TTLS can be support for less secure authentication mechanisms (PAP, CHAP, MS-CHAP) but why would you need them in modern and properly secure wireless system?

What are you opinions? Why should I implement EAP-TTLS instead of PEAP? Let's say that I have most Windows users, medium Linux users and least iOS, OSX users.

We have our Cisco network devices configured to authenticate network administrators using their domain accounts via RADIUS running on a Windows 2008R2 server with the network protection role. This works great for logging into the switch via SSH when configuring the devices.

We are now in the beginning stages of deploying smart cards for logins. Does anyone know of a way to login to a Cisco switch using a smart card instead of a domain username and password?

The SSH client we are using is Putty. Workstations are Windows 7. RADIUS is running on Windows 2008R2. We are running our own certificate authority on Windows 2008; network is not connected to the Internet.

We prefer to not have to purchase additional proprietary devices for this functionality.

We (the tech I work with and myself) live in a remote northern town where Internet access is somewhat of a luxury, and bandwidth is quite limited. Here, overage charges ranging from few hundreds, to few thousands of dollars a month, is not uncommon. I myself incur regular monthly charges just through my regular Internet usage at home (I am allowed 10G for $60CAD!)

As part of my work, I have found myself involved with several hotels that are feeling this. I know that I can come up with something to solve this problem, but I am relatively new to system administration and I don't want my dreams to overcome reality.

So, I pass these ideas on to you, those with much more experience than I, in hopes you will share some of your thoughts and concerns.

This system must be cost effective, yes the charges are high here, but the trust in technology is the lowest I've ever seen.

• Must be capable of helping client reduce their usage (squid)
• Allow a limited (throughput and total usage) amount of free Internet, as this is often franchise policy.
• Allow a user to track their bandwidth usage
• Allow (optional) higher speed and/or usage for an additional charge. This fee can be obtained at the front desk on checkout and should not require the use of PayPal or Credit Card.
• Unfortunately some franchises have ridiculous policies that require the use of a
  third party remote service to authenticate guests to your network. This means WPA is out, and it also means that I do not auth before Internet usage, that will be their job. However, I do require the ABILITY to perform authentication for Internet access if a hotel does not have this policy. I will still have to track bandwidth (under a guest account by default) and provide the same limiting, however the guest often will require a complete 'unlimited' access, in terms of existence, not throughput.
• Provide firewalling capabilities for hotels that have nothing, Office, and Guest network segregation (some of these guys are running their office on the guest network, with no encryption, and a simple TOS to get on!)
• Prevent guests from connecting to other guests, however provide a means to allow this to happen. IE. Each guest connects to a page and allows the other guest, this writes a iptables rule (with python-netfilter) and allows two rooms to play a game, for instance.

My thoughts on how to implement this. One decent box (we'll call it a router now) with a lot of ram, and 3 NIC's:

1. Internet
2. Office
3. Guests (AP's + In Room Ethernet)

Router Firewall Rules

• Guest can talk to router only, through which they are routed to where they need to go, including Internet services.
• Office can be used to bridge Office to Internet if an existing solution is not in place, otherwise, it simply works for a network accessible web (webmin+python-webmin?) interface.

Router Software:

• OpenVZ provides virtualization for a few services I don't really trust. Squid, FreeRADIUS and Apache. The only service directly accessible to guests is Apache.
• Apache has mod_wsgi and django, because I can write quickly using django and my needs are low. It also potentially has the FreeRADIUS mod, but there seems to be some caveats with this.
• Firewall rules are handled on the router with iptables.
• Webmin (or a custom django app maybe) provides abstracted control over any features that the staff may need to access.
• Python, if you haven't guessed it's the language I feel most comfortable in, and I use it for almost everything.

And finally, has this been done, is it a overly massive project not worth taking on for one guy, and/or is there some tools I'm missing that could be making my life easier?

For the record, I am fairly good with Python, but not very familiar with many other languages (I can struggle through PHP, it's a cosmetic issue there). I am also an avid linux user, and comfortable with config files and command line.

Thank you for your time, I look forward to reading your responses.

Edit: My apologies if this is not a Q&A in the sense that some were expecting, I'm just looking for ideas and to make sure I'm not trying to do something that's been done. I'm looking at pfSense now as a possible start for what I need.

I'm setting up a wireless network for ~150 users. In short, I'm looking for a guide to set RADIUS server to authenticate WPA2 against a LDAP. On Ubuntu.

• I got a working LDAP, but as it is not in production use, it can very easily be adapted to whatever changes this project may require.
• I've been looking at FreeRADIUS, but any RADIUS server will do.
• We got a separate physical network just for WiFi, so not too many worries about security on that front.
• Our AP's are HP's low end enterprise stuff - they seem to support whatever you can think of.
• All Ubuntu Server, baby!

And the bad news:

• I now somebody less knowledgeable than me will eventually take over administration, so the setup has to be as "trivial" as possible.
• So far, our setup is based only on software from the Ubuntu repositories, with exception of our LDAP administration web application and a few small special scripts. So no "fetch package X, untar, ./configure"-things if avoidable.

UPDATE 2009-08-18:

While I found several useful resources, there is one serious obstacle:

Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.

Basically the Ubuntu version of FreeRADIUS does not support SSL (bug 183840), which makes all the secure EAP-types useless. Bummer.

But some useful documentation for anybody interested:

• http://vuksan.com/linux/dot1x/802-1x-LDAP.html
• http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius

UPDATE 2009-08-19:

I ended up compiling my own FreeRADIUS package yesterday evening - there's a really good recipe at http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html (See the comments to the post for updated instructions).

I got a certificate from http://CACert.org (you should probably get a "real" cert if possible)

Then I followed the instructions at http://vuksan.com/linux/dot1x/802-1x-LDAP.html. This links to http://tldp.org/HOWTO/html_single/8021X-HOWTO/, which is a very worthwhile read if you want to know how WiFi security works.

UPDATE 2009-08-27:

After following the above guide, I've managed to get FreeRADIUS to talk to LDAP:

I've created a test user in LDAP, with the password mr2Yx36M - this gives an LDAP entry roughly of:

uid: testuser
sambaLMPassword: CF3D6F8A92967E0FE72C57EF50F76A05
sambaNTPassword: DA44187ECA97B7C14A22F29F52BEBD90
userPassword: {SSHA}Z0SwaKO5tuGxgxtceRDjiDGFy6bRL6ja

When using radtest, I can connect fine:

> radtest testuser "mr2Yx36N" sbhr.dk 0 radius-private-password
Sending Access-Request of id 215 to 130.225.235.6 port 1812
    User-Name = "msiebuhr"
    User-Password = "mr2Yx36N"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
rad_recv: Access-Accept packet from host 130.225.235.6 port 1812, id=215, length=20
> 

But when I try through the AP, it doesn't fly - while it does confirm that it figures out the NT and LM passwords:

...
rlm_ldap: sambaNTPassword -> NT-Password == 0x4441343431383745434139374237433134413232463239463532424542443930
rlm_ldap: sambaLMPassword -> LM-Password == 0x4346334436463841393239363745304645373243353745463530463736413035
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
...

It is clear that the NT and LM passwords differ from the above, yet the message [ldap] user testuser authorized to use remote access - and the user is later rejected...