Hi, I?m trying to figure out how to practically use RADIUS to authenticate users. So far, I have only found documentation explaining that the idea is that users somehow magically need to authenticate against a RADIUS server via a device like a switch or a wireless access point before they are given or being denied access to a network. I understand that I have to refer to the documentation of the switch or access point to figure out how to set up RADIUS authentication with the particular device. But how is this achieved in practice? Let?s say I have a couple laptops and a couple phones and a couple computers which connect either to a switch or to a wireless access point. Both the switch and the access point support RADIUS, and I would set them up to talk to the RADIUS server and require every device that wants to connect to the network through them to authenticate first. I also have a couple thin clients and a couple computers which use PXE-boot, and the users of those would have to provide authentication before the machines could even boot. Then what? How do I make it so that the users are actually able to authenticate? Is there any documentation about this? Or am I not supposed to use RADIUS but something else?
Hi, Radius is a AAA protocol (Authorization, Aurhentication and Accounting) you can use rhe three methods or only one of them. Authentication can be done by usong a Freeradius Server, aitvorization will give a userr profile with certain privileges for example In a network connection, and accounting (user connection details) can be registered In a MySQL database if needed. Check for guodes con how to install and use Freeradiua on CentOS. Regards, El mi?rcoles, 14 de febrero de 2018, hw <hw at gc-24.de> escribi?:> > Hi, > > I?m trying to figure out how to practically use RADIUS to authenticate > users. > > So far, I have only found documentation explaining that the idea is that > users somehow magically need to authenticate against a RADIUS server via > a device like a switch or a wireless access point before they are given or > being denied access to a network. I understand that I have to refer to > the documentation of the switch or access point to figure out how to set > up RADIUS authentication with the particular device. > > But how is this achieved in practice? Let?s say I have a couple laptops > and > a couple phones and a couple computers which connect either to a switch or > to > a wireless access point. Both the switch and the access point support > RADIUS, > and I would set them up to talk to the RADIUS server and require every > device > that wants to connect to the network through them to authenticate first. > I also > have a couple thin clients and a couple computers which use PXE-boot, and > the > users of those would have to provide authentication before the machines > could > even boot. > > Then what? How do I make it so that the users are actually able to > authenticate? > > Is there any documentation about this? Or am I not supposed to use RADIUS > but > something else? > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- *Javier Romero* *E-mail: xavinux at gmail.com <xavinux at gmail.com>* *Skype: xavinux*
Javier Romero wrote:> Hi, > > Radius is a AAA protocol (Authorization, Aurhentication and Accounting) you > can use rhe three methods or only one of them. > > Authentication can be done by usong a Freeradius Server, aitvorization will > give a userr profile with certain privileges for example In a network > connection, and accounting (user connection details) can be registered In a > MySQL database if needed. > > Check for guodes con how to install and use Freeradiua on CentOS.Thanks, this is what I already know. Installing RADUIS isn?t a problem, either. But what do I do then?
On 02/14/2018 08:37 AM, hw wrote:> Then what?? How do I make it so that the users are actually able to > authenticate?Look for documentation on 802.11x authentication for the specific client you want to authenticate. WiFi is pretty straightforward.? You're probably accustomed to authenticating with WPA2 Personal.? With RADIUS, you'll use WPA2 Enterprise.? Users will be asked for their RADIUS credentials when you select that? option. Ethernet is fairly similar to WPA2 Enterprise for WiFi.? Under GNOME, for instance, you can open the Network configuration tool, click on the configuration gear for the wired connection, and then select the Security tab.? Tun on 802.1x Security, and then you'll have the option to select an authentication type that matches your switch and RADIUS configuration.? This will vary from client platform to client platform, but it's basically the same as WiFi authentication: https://en.wikipedia.org/wiki/IEEE_802.1X#Supplicants
Gordon Messmer wrote:> On 02/14/2018 08:37 AM, hw wrote: >> Then what?? How do I make it so that the users are actually able to authenticate? > > > Look for documentation on 802.11x authentication for the specific client you want to authenticate.Thanks, I figured it is what I might need to look into. How about a client that uses PXE boot?> WiFi is pretty straightforward.? You're probably accustomed to authenticating with WPA2 Personal.? With RADIUS, you'll use WPA2 Enterprise.? Users will be asked for their RADIUS credentials when you select that? option.That seems neither useful, nor feasible for customers wanting to use the wireless network we would set up for them with their cell phones. Are cell phones even capable of this kind of authentication?> Ethernet is fairly similar to WPA2 Enterprise for WiFi.? Under GNOME, for instance, you can open the Network configuration tool, click on the configuration gear for the wired connection, and then select the Security tab.? Tun on 802.1x Security, and then you'll have the option to select an authentication type that matches your switch and RADIUS configuration.? This will vary from client platform to client platform, but it's basically the same as WiFi authentication:I?m not using gnome; I recently tried it, and it?s totally bloated, yet doesn?t even have a usable window manager. Anyway, there are some clients that can probably authenticate, which leaves the ones that use PXE boot. I tried things out with a switch, and it would basically work. If it makes sense to go any further with this and how now needs to be determined ...> > https://en.wikipedia.org/wiki/IEEE_802.1X#Supplicants > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos