I'm setting up a wireless network for ~150 users. In short, I'm looking for a guide to set RADIUS server to authenticate WPA2 against a LDAP. On Ubuntu.
- I got a working LDAP, but as it is not in production use, it can very easily be adapted to whatever changes this project may require.
- I've been looking at FreeRADIUS, but any RADIUS server will do.
- We got a separate physical network just for WiFi, so not too many worries about security on that front.
- Our AP's are HP's low end enterprise stuff - they seem to support whatever you can think of.
- All Ubuntu Server, baby!
And the bad news:
- I now somebody less knowledgeable than me will eventually take over administration, so the setup has to be as "trivial" as possible.
- So far, our setup is based only on software from the Ubuntu repositories, with exception of our LDAP administration web application and a few small special scripts. So no "fetch package X, untar, ./configure"-things if avoidable.
UPDATE 2009-08-18:
While I found several useful resources, there is one serious obstacle:
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
Basically the Ubuntu version of FreeRADIUS does not support SSL (bug 183840), which makes all the secure EAP-types useless. Bummer.
But some useful documentation for anybody interested:
- http://vuksan.com/linux/dot1x/802-1x-LDAP.html
- http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius
UPDATE 2009-08-19:
I ended up compiling my own FreeRADIUS package yesterday evening - there's a really good recipe at http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html (See the comments to the post for updated instructions).
I got a certificate from http://CACert.org (you should probably get a "real" cert if possible)
Then I followed the instructions at http://vuksan.com/linux/dot1x/802-1x-LDAP.html. This links to http://tldp.org/HOWTO/html_single/8021X-HOWTO/, which is a very worthwhile read if you want to know how WiFi security works.
UPDATE 2009-08-27:
After following the above guide, I've managed to get FreeRADIUS to talk to LDAP:
I've created a test user in LDAP, with the password mr2Yx36M
- this gives an LDAP entry roughly of:
uid: testuser
sambaLMPassword: CF3D6F8A92967E0FE72C57EF50F76A05
sambaNTPassword: DA44187ECA97B7C14A22F29F52BEBD90
userPassword: {SSHA}Z0SwaKO5tuGxgxtceRDjiDGFy6bRL6ja
When using radtest
, I can connect fine:
> radtest testuser "mr2Yx36N" sbhr.dk 0 radius-private-password
Sending Access-Request of id 215 to 130.225.235.6 port 1812
User-Name = "msiebuhr"
User-Password = "mr2Yx36N"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 130.225.235.6 port 1812, id=215, length=20
>
But when I try through the AP, it doesn't fly - while it does confirm that it figures out the NT and LM passwords:
...
rlm_ldap: sambaNTPassword -> NT-Password == 0x4441343431383745434139374237433134413232463239463532424542443930
rlm_ldap: sambaLMPassword -> LM-Password == 0x4346334436463841393239363745304645373243353745463530463736413035
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
...
It is clear that the NT and LM passwords differ from the above, yet the message [ldap] user testuser authorized to use remote access
- and the user is later rejected...