Professional Documents
Culture Documents
FreeRADIUS
Authentication, Authorization, and Accounting Can verify the user against LDAP, Kerberos, SQL, AD, etc. Server side certs are loaded during the install
Allow ZD as client
Configure clients.conf
# Here, we specify which network we're serving client 192.168.0.2/32 { # This is the shared secret between the Authenticator (the # access point) and the Authentication Server (RADIUS). secret = SharedSecretZD shortname = testnet }
Common problems
Client can connect but ZD cant verify the same credentials
Customer might be using AD We use PAP as an authentication method which is not supported by default In the AD check the checkbox for PAP and test again
No No Protected (TLS)
Machine authentication
Gives wired experienced Useful for schools since credentials of all students can not be cached
Microsoft NPS
IAS equivalent on Windows Server 2008 and above Microsoft supports migration from IAS Enables client health check before allowing access NPS = IAS + Microsoft equivalent of NAP
Checks anti-virus presense Checks firewall enabled or not Checks OS patch level
Can act as RADIUS proxy too Lot of policies - separate network policies for all three types (NPS capable and compliant, NPS capable and non-compliant, and NPS non-capable) Policies are checked in a sequential order
3 different policies
Health check enforcement before letting access Device that connects to NPS. Typically, ZD.
Dynamic VLANs
RADIUS can be configured to specify different VLAN for each client (or for different user groups) ZD will know the VLAN ID in the RADIUS access-accept message RADIUS returned value will override ZDs setting AP should be connected to a trunk port Currently only 802.1x WLANs are supported Helps to minimise broadcast domains Helps to isolate client traffic into separate network segments wlanX will have separate group key for each broadcast domain (VLAN specific group keys)
RADIUS attributes
Interaction goes in between authenticator and RADIUS server Two types authentication and accounting attributes (start, interim update, and stop) WLAN type specific (e.g., WISPr specific attributes) More info is at https://ruckuswirelessmain.pbworks.com/w/page/174834/RadiusAttributes
LDAP
Hierarchical directory of objects with associated attributes Support simple authentication (aka, simple bind) Enter IP, Base, and Admin DN details in the ZD DN = distinguished name (what it means is, Unique Identifier) Base and Admin DNs specify the path for user and admin accounts Specify Admin DN if server requires it for user db search Key Attribute is what you want to search username/mail/telephoneNumber
LDAP Hierarchy
LDAP Configuration
DNs are built from bottom to top in a hierarchy (each level is separated by a ,) Base DN dc=mhs-xserve,dc=minarets,dc=org Admin DN uid=diradmin,cn=users,dc=mhs-xserve,dc=minarets,dc=org