hello was wondering if anyone had setup a freeradius server with a Canopy setup, using MAC Address Authentication?
if so is their any possibilty of seeing your (or an example) freeradius Config for mac address authentication…
At the moment i have freeradius 1.0.2-4 (debian) w/ MySql support setup I can authenticate with a username/password combo But im not sure if its correct…
Basically at the moment i dont have access to the Canopy Access Point as we had Just setup the wireless tower today (its not functioning yet)
I need to know how the incoming packets from the Access Point to radius is going to be looking like i.e.
is it going to send the mac address as a username/password combo , or is it gonna act like an orinco ap500/600 where it sends the mac address as the username and uses the acces points Password as the ‘clients’ password.
also wondering if im going to be needing any other attributes in the user group…
basically want a client to try and get online when their mac address is authenticated they can surf the net like normal. ( all ip allocation etc would be done by the ap and not freeradius)
edit
i should note i checked freeradius website and their mailing list for an example of the attributes/settings needed for a simple mac address authentication procedure and found nothing 
… Im fairly new to freeradius, or radus in general last radius product i used was for macintosh and was point and click and very easy 
not sure if I understand exactly what you are trying to achieve.
If you want to ensure that only a specific SM can register to your network then a radius can not help you that, as the SM will first need to register to the RF network and then try to authenticate. For this registration process you need to use BAM (motorola software) it will check the MAC address of the SM at time of registration and then the AP will either allow it register or deny it.
If you are talking about a normal radius server, when once a customer is part of your network and you want them to authenticate via a username password, then you assign them permission, access and IP, then this can not be done via SM, there is no way of configuring the SM to talk to a radius server (as far as I know) you will need to NAT disable the SM so it becomes a transparent device and stick a dsl router at customer side, and configure that to talk to radius as you would in a normal standard network.
If anyone has anyother ideas, please let me know as we are trying to achieve a similar thing, without deploying a dsl router at customer site, we may need to wait until Mot decide to support it in the firmware.
vj wrote:
If anyone has anyother ideas, please let me know as we are trying to achieve a similar thing, without deploying a dsl router at customer site, we may need to wait until Mot decide to support it in the firmware.
PPPoE is supported on WinXP and there is an third party freeware client for other versions of Windows.
PPPoE is the industry standard for client authentication. A pppoe aggregator can be build from an old Intel box and either FreeBSD or Linux.
You can also use a Microtik and a router board to provide this service.
...
Hi micers,
that is an option but dealing with customers with one computer is fine, but this does not scale too well with a network. Maybe I will have to use a combination of both. I would love to switch off NAT on the SM’s it causes untold problems with VPN, VOIP, etc… and don’t like the idea of an open flat network as if you know what you are doing it is easy to bring down the network.
are you using this setup, any chance of a basic setup diagram/info.
vj wrote: Hi micers,
that is an option but dealing with customers with one computer is fine, but this does not scale too well with a network. Maybe I will have to use a combination of both. I would love to switch off NAT on the SM's it causes untold problems with VPN, VOIP, etc... and don't like the idea of an open flat network as if you know what you are doing it is easy to bring down the network.
are you using this setup, any chance of a basic setup diagram/info.
Hi vj;
I've been reading your posts for a few days now. Sounds like you have a pretty big network.
Yes we are using this setup. We have two PPPoE servers built upon SuSE 9.1 Linux. We have about 100 dialup lines, two inbound T-1s carrying about 60 DSL subs on each, and sixty Canopy subscribers on three towers.
Our Internet connectivity is provided by three T-1's (two AT&T and one Qwest) connected to a Cisco 36xx router running BGP with our own ASN.
Usually we install a DLink router configured for PPPoE as we get them for $24.00 each and we feel the investment is worth it because of the protection it affords our customers.
Subscribers who want static addresses are handed one by the PPPoE server based upon user name. Subscribers who don't care are NATed at the PPPoE aggregator.
Personally, I have not found that a switched network is any less robust than a routed network. Given judicious use of your switches on your backbone (smart switches, not cheap stuff) you can control the layer two traffic. I have not found that a bridged network does not scale well but we are not *huge* yet. I don't believe anyone who *knew what they were doing* would be able to take our network down for very long before we *knew who they were*. One of the problems with attacking a network at layer two is you have to do it from the inside and that means you can be located by simply unplugging ports on a switch.
It is a toss up. Switched networks need careful watching, routed networks are poor performers (WRT latency). We route when we have to and switch when we are able.
Just my two...
i tried u a sing NAT off on SM and several chilli servers that make authentication to freeradius-mysql server. by MAC address, and by username and password either.
I was trying to avoid chilisoft though i definatly looked into it, Now im looking at pppoe (though its not my decission in the long run) i think pppoe would fit the company needs in the long run personally.
As for my original post and a reply to VJ.
If you want to ensure that only a specific SM can register to your network then a radius can not help you that, as the SM will first need to register to the RF network and then try to authenticate. For this registration process you need to use BAM (motorola software) it will check the MAC address of the SM at time of registration and then the AP will either allow it register or deny it.
I know that with an Orinco AP 500/600 the process thats involved is
Client tried connecting wireless , is then registered/authenticated to the Access Point, then the Access Point sends off the Mac address for that specific SM(client) to a Radius server and Appends the Access Points Password for Further Verification to Allow/deny access to the Internet.
Now as i said above the Orinco AP 500-600 Append the Access Points ‘shared key’ to the radius, Where as other access points would end the MAC address as the username & password, not only that but specific access points send out different styles of attributes.
the Orinco AP’s send out a mac address to the radius like 0040f4-683f26
where as another AP may be 00:40:f4:68:3f:26 or even 00-40-f4-68-3f-26
So i was curious as to what the Canopy hardware sends out to the radius as the login/password combination and/or if it was going to try and send it in EAP or unencrypted mac address authentication
“are we confused yet! cuz i know i am :)”
I personally would Just use the BAM for everything but the company in question is using Canopy on one side of the city and another type of wireless setup in a different area outside the city so intergrating the two systems for user management is a must.
Thanks everyone who has replied i’ve got a couple ideas now that i can spin around
And just one question to Micers
Whats software are you using for your pppoe server? (If we / I go to pppoe it will based off of debian)