radius server

Discussion in 'DD-WRT Firmware' started by AConnorABBCO, Aug 23, 2005.

  1. AConnorABBCO

    AConnorABBCO Network Guru Member

    I'm slowly but surely becoming more aquainted with my WRT54G. I currently have DD-WRT setup on it because I've read that it has Chillispot incorporated with it. I'm looking for a way to make users log onto the network via my WRT54G as a HotSpot. Can somone explain to me or point me towards a tutorial about the best type of radius server to use and how to set it up so that I can enable Chillispot?

  2. dslrgm

    dslrgm Network Guru Member

    Best Radius serer

    Best is based on your environment.

    How many users? How many concurrently active users?

    Are the systems logging in under your control or not? (i.e. can you control client drivers).

    How much money do you have?

    I am partial to LucidLink. I helped design its proprietary EAP method. I have substanial credentials in the security and 802 community. The method follows SIGMA (used as the design basis for IKE). But Lucidlink has its own client. XP and Win2000 support. More on the way.

    FUNK is very popular in corporate environment. Interlink in big ISPs. FreeRadius is everywhere. Alan DeKok (think I have his spelling correct) is a long time IETFer and has put a lot into FreeRadius to make it work right.

    For clients, consider agents like Boingo's (and you do not have to be a Boingo partner). There are other agents out there that make usage better than what M$ supplies.
  3. AConnorABBCO

    AConnorABBCO Network Guru Member

    Users vary, between 20-50 at one time, unlimited amount of registered users required.

    There is no set budget, but the goal is to turn a $60 WRT54G into an $800 Colubris HotSpot, or something of the like.

    We have a contract to offer wireless HotSpots at over 250 locations. We can do it by buying expensive premade HotSpots, turn a computer into a linux box and use publicID, NoZone, etc. But I've been tasked to find a way to offer the same service using a WRT54G making the project cheaper. I'm not very experienced with linux, but I can flash any type of firmware onto my router, but none so far have been able to act as a splash page that also requires a user to login to it, this is necessary for the project. Can this be done using DD-WRT or any of the systems you suggested? if so, what do you reccomend as the best solution?
  4. primus1024

    primus1024 Network Guru Member

    I don't have a lot of expirence as you do. I'm working at design bureau as designer (prepress) and a bit of technical support but I have been able to put toghether a hotspot with radius authentication (linux runing FreeRadius, chillispot running from DD-WRT). Hostspot is made with two wrt54g's at different locations (about 50 m apart) and so far there have been at most 10 users on at the same time. I guess with your expirience it won't be a problem making something like this on much bigger scale.
    As far as i know, Fedora comes with FreeRadius if you choose it during installation. Maybe you could install it on one computer and test it with dd-wrt to see if it fits your requirements.
  5. AConnorABBCO

    AConnorABBCO Network Guru Member

    OK, I have an extra computer I can install Fedora on. Is there an online tutorial on how the radius server works and how to set it up? Because like I said before, I really do not have that much knowledge with Linux.

    By installing the radius server, I configure my router to use it and it acts as an authentication page?
  6. dslrgm

    dslrgm Network Guru Member

    I don't have much experience with setting up a web portal login.

    Personally, I hate them. All too often, I have to disable my persoanl firewall to login, as the redirect that occurs is not permitted, and I do not have the time to figure out what to allow in the firewall rules....

    I much perfer 802.1X, maybe becuase I am a contributor to it?

    XP fully supports 802.1X, so does MAC OS/X. With Win2000, it depends in part on the wireless card and added drivers.

    At LAST year's RSA conference, they started supplying only 802.1X with PEAP/MSchap login. They supplied those that needed a driver, the MeetingHouse client (very good, again, being in the community, I work with these people, and that is another RADIUS server to consider, particularly if they give you a break on their client for your customers). I was sitting in the speaker's prep room and Bill Cheswick was complaining about the setup instructions for his Mac. He then bothered to read the Mac help and was set up in a 'few mouse clicks'. Of course Bill IS a security guy!

    TMobile is now offering the option of 802.1X or webportal, for example.

    Look hard at MeetingHouse. Bid them against Funk (that also has a client).
  7. primus1024

    primus1024 Network Guru Member

    Most of help I got from this page

    Don't get confuzed as i did - chilli is already on dd-wrt.

    Whatever ip you will give to your router - clients will get 192.168.182.XXX, then as i understand router does NAT to translate addresses. With ethereal on fedora you will get only address of a router as a source. I use rflow (available on dd-wrt page also) to see who is on at the moment, for everything else there are logs from FreeRadius.

    Authentication page is on your server, router reads it and it serves it to clients.
  8. AConnorABBCO

    AConnorABBCO Network Guru Member

    I don't have access to another machine that I can put linux on and then fedora until next week... are there any Windows based radius servers I can test out that will accomplish what I'm looking for?
  9. dslrgm

    dslrgm Network Guru Member

    Yes indeed. Most of the vendors have 30 day trials. here are the ones I recommend you look at in alpha order:

    Interlink (both their full strength server and Lucidlink)

    Here are the things you want to look into:

    Admin effort (what level of expertise needed)
    RADIUS client configuration options (RADIUS clients are the APs)
    EAP methods supported
    Support for web server authentication (how a portal would work)
    Wireless client requirements

    Given what you have said about your environment, LucidLink is not targetted to you. MeetingHouse is pretty good, but might not be heavy-duty enough (but the product has reved since I last looked at it).

    This leaves Interlink and Funk. The 2 big players in the field. I know the developers at both companies (Paul Funk and I go back a long time at the IETF, for example).

    Wish you success.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice