FreeRadius - How To Get Started?

[Roasted]

This may be a real rookie question but I find myself kind of stuck at the moment. Due to ongoing issues with our MS Radius server, it was suggested by many we look into FreeRadius. Since I tinker with Linux quite a bit, the project came my way. The reality is, I have no idea what I'm doing with this FreeRadius setup. Someone suggested Zentyal + Radius module and I thought that might give me a bit of a lead. I'm in the Zentyal user interface now and under RADIUS my only option is to add RADIUS clients.

Can someone help me fill in the blanks here? What client are they referring to? Are they referring to the access points themselves, or the actual radius server?

Any help anybody can give me would be great. I have googled for hours for guides but each guide I find is SO different from the next, I'm left wondering which direction to take.

[jsalamero]

Clients are Access Points being able to auth against Zentyal, have a look at http://doc.zentyal.org/en/radius.html.

[Roasted]

So more or less, the access points are clients, and the clients get configured with a static IP. Does each AP have to be configured with a specific IP from a static pool?

[Roasted]

Well, I'm a little stuck now. I have a user added to the "Users" group of Zentyal within Radius as being able to authenticate. I have the Users/Groups + Radius module enabled and actively running. I freshly rebooted Ubuntu, the Netgear access point I'm using, and this laptop. No dice.

The laptop is running XP Pro, and within the wireless settings for this SSID I unchecked the "automatically use Windows logon as authentication credentials" and from there it was prompting me to put in my credentials to authenticate to the SSID. When I put in my test user, which like I said is in the "Users" group with the Users group set to allow use for this SSID, it just loops back and asks me again.

There's clearly an authentication issue, but I'm not positive what it is at this point. I've read through the documentation dozens of times and I'm not sure what I am missing.

Within the interface of the Netgear, I have the Radius server set with the IP of Ubuntu (running FreeRadius + Zentyal) and within the Zentyal client interface I have it pointing to the IP of the Netgear access point. The current security level is WPA/TKIP w/ Radius.

Can anybody see where I goofed?

[Roasted]

Well, I found out where my issue was. I had several actually. Quite an embarrassing thing to admit, but for the sake of others troubleshooting I figured I would post it. It's simple. Don't laugh. My wireless card in my test laptop here didn't support WPA encryption, only WEP. My Radius setting was on WPA. *ducks*

Anyway, we're good now. Sort of. I can get Radius to authenticate as long as I don't have it AUTOMATICALLY assume my Windows credentials are to be used. I'm referring to the section in XP where you go to:

View Wireless Networks - Change advanced settings - Wireless Networks tab - Highlight SSID - Properties - Authentication tab - Properties - Configure.

If I have that section UNCHECKED and I let Windows ask me who I want to authenticate as, it works fine. If I have it checked, it says authentication failed.

I have two users on my XP box.
USERNAME - PASSWORD
Jason - password
test - test

So when it auto authenticates when I'm logged in as Jason or test, it fails. Yet if I manually put in Jason/password or test/test, it works fine.

Not too sure about that. Can anybody shed some light? Likewise, does anybody have any links to guides out there for integrating LDAP with Zentyal for use with Radius? So far I haven't found anything.

[Escorpiom]

Hi Roasted, please allow me to ask some basic questions, I'm more or less in the same boat as you are.
What I want to do is enable freeradius to authenticate users with user and pass so that they are allowed or denied to surf the internet.
The confusion is this:
Creating users on the Zentyal system enables these users to only access services on the Zentyal box, it does not apply to internet access.

At the moment I'm creating network objects with ip/mac binding and a deny all rule in the firewall.
That is ok for some fixed clients, but for the wireless access point clients I would like to use freeradius.

Is this possible or am I way off?

Cheers.

[Roasted]

I am not 100% positive to begin with. I'm only now playing with FreeRadius as well as Zentyal for the first time, so I am unsure of its capabilities. To be completely honest I'm not even sure the direct point behind Radius, as many places I've spoken to have stuck with WPA2 Personal for simplicity and the fact "it just plain works."

Even still, I'm still trying to figure it out. But the ungodly surprisingly amount of lacking support I am finding for FreeRadius (and to be frank, even user support on these forums) really puts a huge doubt in my mind I'll ever learn anything out of this and pull it off. However, I'll tell you what I have so far.

From what I have seen based on trial and error in my test user environment, I can successfully get wireless devices to be utilized through Radius user authentication. My test laptop has XP Pro SP3 on it, however I did found a quirk with it as I said earlier, in regard to it not working if Windows automatically uses the login credentials to authenticate, whereas if I manually put the SAME ones in when asked, it works fine. I have no idea about where to go, and nor does Google, apparently.

For now I am wondering if it's a domain related issue, if that by putting the laptop on the domain and authenticating it through LDAP would make it play nicer than the setup I have now. The new problem? How the hell do I connect Zentyal to look @ our LDAP when authenticating with Radius?

Sorry I can't be much help. I have far more questions than answers, unfortunately. But the above is what I've seen and where I'm currently at with it.

[Escorpiom]

Thanks for your reply Roasted.
I will also do some tests here as soon as our ap is running. Will share anything usefull here.
I know about the lack of information on the internet. Been there, done that.

This stuff is just not as widely adopted as a Windows XP for example. Doesn't mean it's impossible, we just have to dig a little deeper. And learn in the process.

Cheers.