freeradius and dynamic ip allocation

Carpe Diem company2210 at hotmail.com
Thu May 29 13:43:39 BST 2003


Radius in a 802.11a/b/g environment usually is used to authenticate the MAC 
address of the connecting client. The new 802.11i (of which 802.11x is a 
subset) defines more secure methods of wireless connectivity (EAP-* ( 
EAP-TTLS,TLS,PEAP etc )), however the administration and support of these 
new security methods is currently pretty abysmal (for instance, EAP-TTLS is 
open, but only implemented in a proprietory product - funk softwares odyssey 
server). The easist way is to use MAC address authentication, when a client 
connects to the AP, the address is passed to the radius server - we use 
mySQL connected to open systems radius. Using the radius server also allows 
you to limit similltanious connections from a MAC, and do all the accounting 
stuff as well (pretty nifty). As for a VPN to connect to the Radius? don't 
know - The Radius is usually never talked to by the client, but by the 
access point which makes the decision based on the reponse received from the 
autehntication query it sends to the radius server. The AP's <-> radius 
server encrypt queries/responses with a 'shared password', so as to ensure 
no one can sniff it :) Dunno if that answers your question, but thought it 
might be useful :)

Colin


>From: Pete French <pete at twisted.org.uk>
>To: paul at iconoplex.co.uk, robing at netnorth.co.uk
>CC: freebsd-users at uk.freebsd.org
>Subject: Re: freeradius and dynamic ip allocation
>Date: Thu, 29 May 2003 11:31:13 +0100
>
>I've been following the radius discussion here with increasing interest, 
>because
>when it began I didnt really know or care what Radiius was, but now I do!
>
>It sounds like it could be just what I need - does anyone know of anything
>under FreeBSD that would let me set up VPN's for Windows clients which 
>talks
>to a Radius server ? I have an 802.11g wireless hub which will talk to
>a Radiius server too - and I am thinking that I could set up one server 
>which
>would athenticate users when they are in range of the LAN or when they
>go roaming the world and want to connect back to home using a VPN and 
>appear
>on the LAN at the same IP address they would have if local.
>
>Does this sound feasible at all ?
>
>-bat.
>
>------ FreeBSD UK Users' Group  -  Mailing List ------
>http://listserver.uk.freebsd.org/mailman/listinfo/freebsd-users

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail





More information about the Ukfreebsd mailing list