Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: daniel on February 22, 2012, 10:04:46 PM
-
The last SME announcement made reference with these statements.
- Add ldap as an auth type to radius
- Radius should use LDAP backend (if LDAP auth is enabled).
I would like to use the SME server as the authentication for WPA2-Enterprise in any wireless router I have. Has anyone successfully used an SME server as a radius server? I read this to mean the basic radius server is already running on SME8. If that's so, I'd be willing to test things if I could get some guidance.
Thanks.
-
The last SME announcement made reference with these statements.
I would like to use the SME server as the authentication for WPA2-Enterprise in any wireless router I have. Has anyone successfully used an SME server as a radius server? I read this to mean the basic radius server is already running on SME8. If that's so, I'd be willing to test things if I could get some guidance.
Thanks.
I remember a post somewhere in the forums from Shad, with a basic howto, not sure in which board, presumably some of the 7.x ones.
-
I remember a post somewhere in the forums from Shad, with a basic howto, not sure in which board, presumably some of the 7.x ones.
This is the one you were referring too :)
http://forums.contribs.org/index.php?topic=30736.0
-
I pieced together the notes and I actually did use the SME8 Radius server to authenticate WPA2-Enterprise on my access point. Here are a few things not mentioned that I figured out.
I do not have a purchased server certificate, only a private one generated by SME, thus it cannot be used in authentication. In setting up WPA Enterprise in Wndows XP wireless, I had to make some changes on the authentication tab. Changes made in properties under preferred wifi. Authentication EAP type changed from smartcard or certificate to Protected EAP (PEAP). Authenticate as computer when computer information is available was unchecked. Authenticate as guest is unchecked. Properties of Protected EAP was changed. Uncheck validate server certificate and Authentication method was set as (EAP-MSCHAP v2). Enable fast Reconnect was checked. This allowed whatever username and password used to login to the local windows machine to be authenticated and a wifi connection established.
I made these changes to the server config by command line.
db configuration setprop radiusd TCPPort 1812 access private status enabled
db hosts setprop [wifihostname.domainname.com] RadiusKey [KeyICreated]
signal-event remoteaccess-update
I will test this LAN side for now. I want to use SME on the WAN side as a radius server for all the satelite locations wifi connection. I believe by changing the radius port from private to public that will open 1812 up on the wan side. What I do not know is how secure this is. Does the radius secret key encrypt the communications over the internet so passwords are secure? Will it open any other security holes in the WAN side that I'm not aware of? Is each authentication recorded somewhere in a log for future auditing? If anyone has any thoughts on this I would appreciate your comments.
-
Has anyone had any success in opening the RADIUS server port to the public and authenticating external devices through the internet to it?
My internal Wireless AP will authenticate to RADIUS, but I cannot get any external Router/AP at other locations to authenticate via RADIUS to the SME server.
I did open the port to the public by
db configuration setprop radiusd TCPPort 1812 access public status enabled
signal-event remoteaccess-update
What I think is happening and I have no idea how to resolve, is I don't have any way of adding hostnames from the external internet routers and give them a radius secret key. External routers have dynamic IP addresses and DDNS of a domain that is not in the domain list of the local SME server. Options are appreciated. Thanks.
-
a quick search with google tell me that
Though many Radius servers have not made this change, the latest RFC for Radius changed the default ports to 1812 for authentication and 1813 for accounting
are you sure your 1812 port is open? how do you connect? is there a router? a port-forward issue? a firewall?
maybe oyur isp is filtering that port
HTH
-
I've followed the SME instructions on opening up 1812 by setting radiusd as public and signal-event remoteaccess-update. Other services I've installed, I have opened their ports to the WAN by this same method. I know radius works on the LAN as the access point connects to it and authenticates users over wireless. I've tried using some radius tools I've downloaded online. None of them show a radius server from the WAN side, but they don't see the radius server from the LAN side either. I sense its something to do with the radius server checking the secret key by hostname. Since outside hosts have names other than what my internal domain name is, I think that's where the problem lies.
I'm still investigating to see if I can solve it. Thanks for the help so far.
-
Hello Daniel
Try putting the external Radius Sites in local networks with just the IP and a subnet mask of 255.255.255.255.
(This works, when the SME is NOT the router, meaning the SME is running in server-only mode and another router is running.)
Can't tell, if this works when the SME is in Gateway-Mode...
Your mileage may vary...
Regards Andy
-
Daniel
I've got here searching for a way to replace LDAP pfSense auth... using Radius.
I'm stuck also. What I've done till now:
[root@vm0 raddb]# db hosts set pfsense.servidor.local host RadiusKey Secret.Password
[root@vm0 raddb]# db hosts show pfsense.servidor.local
pfsense.servidor.local=host
RadiusKey=Secret.Password
[root@vm0 raddb]# signal-event remoteaccess-update
but
[root@vm0 raddb]# cat /etc/raddb/clients.conf
just show only localhost!
client localhost {
secret = sm+0OQnHm86FVKJfS/olf1PbwNomFh/
shortname = localhost
nastype = other
}
I tried to edit clients.conf but cannot undestand sintax and cannot get radiusd up after even a simple duplicate of client when s/localhost/pfsense/
Do you have any tips ?
BTW: This is a SME8 fully updated and with LDAP auth enabled!
-
Is there any new Info about WPA2 Enterprise <> SME8 ?