miketoy

Hello,

I am currently looking at setting up a RADIUS server on a desktop and have an accesspoint connected to it which authenticates wireless nodes through the Radius server. I also wanted to setup a CA for certificates. I was wondering if anyone can give me a push in the right direction and tell me where I can get resources for this, what freeware I can use and advice from anyone who has done this before. Actually I want to do this for my dissertation for my masters and would like to try different things, use EAP/TLS, PEAP, LEAPm use FreeRadius with Linux and Also windows 2003 server RAS. However, I do no have any specific resources related to this. I currently have a netgear accespoint and a laptop with wireless access and I have asked the Uni to give me a desktop which OI can use for the Radius server. Would this suffice, would I need anything else? I plan to try out al these different options and annalyse and then write reports on whatwould be the best based on different scenarios.
Please help me out.

jimcarree

I've set it up in Windows using PEAP, to experiment with this a single machine running Windows Server 2003 with IAS and a root CA installed will do the trick. It can be a bit tricky to get going for the first time but once set up works very well.

There is a good how-to at http://www.windowsnetworking.com/pag...e_p.asp?id=407 on the guts of setting this up. MS also have some IAS white papers at http://www.microsoft.com/technet/its...s/default.mspx

I've absolutely no experience doing this in Linux, hopefully someone else will be able to help you there.

idialman

Thanks for this Jeremy. Just going to also try and locate some books for this and read up more on it.

miketoy

Correct, not many wireless routers do AFAIK. Perhaps a firmware update?

jimcarree

I had a quick question. For my Setup I have a netgear wgr614 router, I tried looking at it and its details but it doesn't seem to show if it has 802.1x support, if it doesn' that means I cant use this right?

miketoy

Another query that I had. I was looking at my laptop to see its 802.1x support. I noticed that I can enable this from the Authentication tab under network connection. However this option is only showing on my wired lan connection and not my wireless. Why is this so? I am using Windows XP
Also another thing in the wired connection EAP type settings it only gives me 3 options. 1. Md5 Challenge 2. PEAP and 3. Smart Card or other Certificate.
What about options of EAP-TLS and EAP-TTLS.
Is there any good book you would recommend for this. I guess I need to do some good reading on this subject as well. I got the AAA and Network Security for Mobile Access by Nakhjiri

jimcarree

You don't need to use that tab for wireless, those settings are configured in the Authentication tab in the properties of each wireless network profile in Windows XP.

The types of EAP available depend on the model of network card and version of the drivers you have installed. If you haven't got what you need, try updating the drivers (this fixed it for me with many older wireless cards).

I have yet to try this with EAP-TLS. I am not up with what books are available either, I just used a combination of web articles, experience and pure luck when first setting this up.

idialman

I just got the Linksys WRT54GS router, it looks good and it has support for WPA and WPA2 . WHen I was trying to configure it I noticed that the settings give many options. These are: WPA Personal, WPA Enterprise, WPA2 Personal, WPA2 Enterprise and Radius. On the WPA Enterprise and WPA2 Enterprise it does have the settings of the Radius Server and the port along with the shared Key. But there is no settings for defining the EAP protocol, Isn't this also supposed to be specified in the AP? Where do I have to specify the 802.1x settings or I just need to do them in the Radius Server and the client and as long as the AP supports it it will forward it?
Please let me know about this.

miketoy

You define the EAP settings within the RADIUS server itself. WPA2 is more secure than WPA but your clients must support AES encryption (some cheap or old cards do not).