[MeshBox-radius] RE: Radius stuff...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 24 Feb 2003, Mark Malewski wrote:

> Andy/Bob/E,
>
> Bob & E, get Andy "up to speed" on what we're trying to do.  I have
> asked him to help us with the RADIUS server (and to work with E on
> this).

Can we start with a summarization of the goal and big picture?

> >Do you really want to write your own RADIUS server?
>
> Oh, of course not!  We're going to use FreeRadius.
>
> We're just putting some other stuff on there as well.  If you could help
> E get everything up and running, that would be great.
>
> Actually, let me put you in contact with "E" and Bob.  They'll be able
> to explain a bit, and get you up to speed on what we're doing.
>
> What I need your "expertise" is for the RADIUS server (the
> authentication server).  Maybe "coach" E along, and help him get
> everything up and running.  Then I'll explain the even bigger problem
> what we're working on.  ;-)

Okay, sure.

> Are you familiar with BIND at all?

Yes.

>      Mark
>
> P.S. Our authentication servers need this:
>
> 1) Linux
> 2) FreeRadius
> 3) MySQL (to store the user accounts)

These are well understood by me.

> 4) NoCat (to act as a Captive Portal/WI-FI authentication)

Hopefull this is well understood by others.

> Actually, let me give you a brief "synopsis" of how things work.
>
> 1) There will be an authentication server (FreeRADIUS)
> 2) There will be "meshboxes" which are set top boxes for surfing the
> internet, etc.  These boxes also act as wireless "Access Points" on the
> mesh network.

Is "set top" the best description, ie, on top of your TV set?

> 3) There will be "roaming clients" (PDA's, laptops, etc.) that will use
> the MeshBox's to connect to the internet.
>
>
> I believe we should use something like this:
>
> 1) Setup authentication server (RADIUS).
> 2) MeshBox's authenticate to Authentication Server via 802.1x.
> 3) User database is stored on authentication server. (along with
> login/passwords)
> 4) Roaming users, come in contact with a meshbox... the "captive portal"
> requests authentication from the wireless user.  The login/password is
> entered into the "splash page".  This request (from the wireless side)
> is sent via the Ethernet side to the authentication server.  If the
> authentication server verifies that the user login/password is correct
> then it allows the WI-FI user to connect/use the network (and surf the
> web, send mail, etc.)
>
> The problem I'm having (and looking to you for advice) is NOT the WIFI
> side, this is already done.  It's the "backbone" side between meshboxes
> and the authentication (FreeRADIUS) server(s).  What do you suggest that
> we use?  802.1x, correct?

802.1x is fine, though, I'm unsure of a free stable/mature server
implementation for Linux or BSD. I see open1x has moved slightly since the
last time I looked though.

> We need help setting it up (E, read the FreeRadius docs) and we need to
> make sure that the backbone (between meshbox & auth server) is as secure
> as humanly possible.  We need to make sure that the network couldn't
> "hi-jacked", or a rogue meshbox (or wireless user) couldn't sniff/steal
> passwords or join the network.

Not a problem.

andy

--
PGP Key Available at http://www.tigerteam.net/andy/pgp