Topic: Radius

[cc_skavenger]

Sure,

I configured radius as follows.  My wireless network consists of many AP-Plus's, many AP-1000s, and countless other brands of access points too numerous to mention.

Edit radiusd.conf, configure items necessary for your network.  This is how my file is configured:
 

Code: [Select]

delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = 1.2.3.4
port = 1812
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no  <--- Don't want users with duplicate macs on the network
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no

Edit clients.conf, add an entry that looks something like this:

EXAMPLE:

Code: [Select]

client 1.2.3.4{
        secret          = secret word
        shortname       = AP's name
        nastype         = other
}
The secret word is going to be used as the universal password from the AP to the server.  The AP must be setup to use the same word as what is put in here, anything else will never work.  The AP's name is just for the logs, tells you where the user authenticated at.

Edit users file, add an entry similar to this:

EXAMPLE:

Code: [Select]

010203-040506  Auth-Type := Local, User-Password == "secret word"

010203-040506 is the mac address of the wireless device to be authenticated.  The secret word is the same as what you used in the AP and the clients.conf file.  

That should be it.  I add users to the user file and restart the radiusd service.  Now, if the user has been denied by the AP before they were added to the list, the AP must be rebooted or they will never get authenticated.  I have set my AP's to authenticate every 15 minutes, but for some reason, when someone is denied, they are denied till I reboot.  Not really a problem for me, but might be for someone else.

HTH

[Franco]

Excellent explanation Marco,
I'll see if I can make dialupadmin do the work of managing these for me.
Since you mentioned many Wireless AP's and the rebooting issue, let me ask you:
-How do you manage the rebooting from far away? I saw one of the Seatle Wireless TV once, where a group had managed to create a second network just to manage that side.

Once again,
Thank you!

[cc_skavenger]

I use the vpn service built into SME.  My servers are setup in server/gateway mode, so I can get to them from anywhere.  I setup the server so that the vpn service only gave out certain IPs, so that I wouldn't land on a customer radio IP. The radios are on a different subnet, usually a 10.X.X.X.  The routers are all on some kind of private subnet, usally a 172.X.X.X or 192.168.X.X.  The AP's, backhauls and radios are all on the same subnet.  I vpn into the SME server that handles the radius / bandwidth control and I can administer any of the radios that I need to (firmware or check to see if they are connected, etc).  This is for any of the remote sites that I also have to maintain.  If I am local, I have several IPs loaded in my laptop nic so that I can see all the local IP networks.  Kind of a strange network, but I didn't create it and I am not allowed to change it either.
For the VPN to work, I am only behind a cheap hardware router.  I had problems using the vpn from behind my SME caching gateway, so I put myself and my co-workers behind a hardware router and we don't have anymore problems.  
Hope this answered your questions.

[Franco]

I'm using the VPN services to connect, what happens to me sometimes is that I have a hard time tunneling from behind an SME to another SME. I'm trying to get OpenVPN working (from knuddi) and hopefully my problems will go away. What I meant was rebooting the AP from far away. Let me explain:
Some of my AP's are as far as 70Km distance. So if they get stuck and need a reboot, I have to drive that far. So was looking for solutions for this problem, not that it happen often, but it certainly would help  

Thanks,

[cc_skavenger]

oh, sorry.  what type of ap?  I haven't had any APs lockup like that since I replaced some senao APs and some xi-1500 APs (they didn't do radius, only internal mac authentication).  Is there any kind of server on the otherside of the link, by the AP?  There was a link for controlling a device with a linux server.  It was a home automation kit from x-10.  There was a little script that would ping the device or a website, no response, it would reboot a dsl router.  Could be used for the AP...Will look for the site.

[cc_skavenger]

here are the sites:

http://www.digitalhermit.com/linux/dsl_reboot.html

http://ralf.alfray.com/photos/Misc/DSL-X10/

http://www.x10.com/automation/firecracker.htm

[kirkf]

Hello.  I've been reading through a few threads about radius and dialup_admin, but can't seem to find the sme freeradius rpm.  I've found numerous references to it, but no actual rpm... Are you using that, or just installing the tar from freeradius.org?

Thanks!

Kirk

[ajkeane]

I believe you can find it here in the downloads area.

http://sme.swerts-knudsen.dk/

Tony