Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User pmb00cs
(eat-sleep-adslguide) Wed 19-Dec-12 21:15:35
Print Post

Multiple Access points and Radius


[link to this post]
 
I am thinking of adding a second access point to my home network (the signal is patchy upstairs).

Now whilst doing this I figured it would be a good chance to do it properly and set up a radius server to control access. I was thinking of using freeRadius.

Does anyone have any suggestions or experience I can call upon?

happily chugging along on plusnet and Virginmedia (yes I am greedy)
My web server
Standard User yarwell
(sensei) Thu 20-Dec-12 09:12:59
Print Post

Re: Multiple Access points and Radius


[re: pmb00cs] [link to this post]
 
I did it once, using dd-wrt on the access point. There are other RADIUS based solutions often built for hotspot access or community wifi

http://www.informatione.gmxhome.de/DDWRT/Standard/V2...

The RADIUS server was running on another WRT initially, then a PC, then a hosted server.

--

Phil

MaxDSL - goes as fast as it can and doesn't read the line checker first.

MaxDSL diagnostics
Standard User David_W
(experienced) Thu 20-Dec-12 10:50:41
Print Post

Re: Multiple Access points and Radius


[re: pmb00cs] [link to this post]
 
FreeRADIUS 2 is pretty easy to configure to do what you want. Start with the default configuration and make the minimum possible number of edits, testing repeatedly. Debug mode and the logs will help if you get stuck.

FreeRADIUS 2 does a pretty good job of bootstrapping its certificates out of the box - these certificates will certainly do to start with.


You need to add your access point(s) to clients.conf - this is where you configure your shared secrets.

Assuming you are going to use a static user database rather than something like LDAP, your users go in users.

You will need to make a few changes to radiusd.conf - you certainly need appropriate listen block(s).

You may need to configure one or more realms at the foot of proxy.conf, especially if you need to strip a prefix from the user name.

You may need to make a few changes to eap.conf, especially if you want the RADIUS server to return a VLAN number to the address point (typically this requires copy_request_to_tunnel and use_tunneled_reply set to yes in all enabled EAP types). Do not disable EAP types or mess around with the default EAP types - that is a pretty sure fire route to breakage unless you have a deep understanding of what is happening.


Get things working without extra complexities such as VLAN numbers first. In every case, simply following the guidance already in the files is usually sufficient. Accounting is fairly easy to implement if your access points support RADIUS accounting.


The access points tend to be easy to configure. It is best to support WPA2-Enterprise only, disallow mixed mode and TKIP, and test with pre-authentication on if it is supported.


Register (or login) on our website and you will not see this ad.

  Print Thread

Jump to