freeradius and dynamic ip allocation
Carpe Diem
company2210 at hotmail.com
Thu May 29 13:43:39 BST 2003
Radius in a 802.11a/b/g environment usually is used to authenticate the MAC
address of the connecting client. The new 802.11i (of which 802.11x is a
subset) defines more secure methods of wireless connectivity (EAP-* (
EAP-TTLS,TLS,PEAP etc )), however the administration and support of these
new security methods is currently pretty abysmal (for instance, EAP-TTLS is
open, but only implemented in a proprietory product - funk softwares odyssey
server). The easist way is to use MAC address authentication, when a client
connects to the AP, the address is passed to the radius server - we use
mySQL connected to open systems radius. Using the radius server also allows
you to limit similltanious connections from a MAC, and do all the accounting
stuff as well (pretty nifty). As for a VPN to connect to the Radius? don't
know - The Radius is usually never talked to by the client, but by the
access point which makes the decision based on the reponse received from the
autehntication query it sends to the radius server. The AP's <-> radius
server encrypt queries/responses with a 'shared password', so as to ensure
no one can sniff it :) Dunno if that answers your question, but thought it
might be useful :)
Colin
>From: Pete French <pete at twisted.org.uk>
>To: paul at iconoplex.co.uk, robing at netnorth.co.uk
>CC: freebsd-users at uk.freebsd.org
>Subject: Re: freeradius and dynamic ip allocation
>Date: Thu, 29 May 2003 11:31:13 +0100
>
>I've been following the radius discussion here with increasing interest,
>because
>when it began I didnt really know or care what Radiius was, but now I do!
>
>It sounds like it could be just what I need - does anyone know of anything
>under FreeBSD that would let me set up VPN's for Windows clients which
>talks
>to a Radius server ? I have an 802.11g wireless hub which will talk to
>a Radiius server too - and I am thinking that I could set up one server
>which
>would athenticate users when they are in range of the LAN or when they
>go roaming the world and want to connect back to home using a VPN and
>appear
>on the LAN at the same IP address they would have if local.
>
>Does this sound feasible at all ?
>
>-bat.
>
>------ FreeBSD UK Users' Group - Mailing List ------
>http://listserver.uk.freebsd.org/mailman/listinfo/freebsd-users
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
More information about the Ukfreebsd
mailing list