[CS-FSLUG] Radius Server

Tue Jun 27 10:52:32 CDT 2006

Timothy Butler wrote:
> 	My church has been doing an expansion project, and I'm planning  
> laying out wireless access points over the whole building to blanket  
> it with Wi-Fi. This is good in that we could use access in different  
> rooms much of the time, but bad in that we don't want people to  
> freely come in with unfettered web access (surfing x-rated material  
> in a church just isn't something we want to encourage, ya know?).
> 
> 	Anyway, right now, we are using basic WPA authentication with a  
> single passkey. This is OK when wireless only covers the church  
> office -- those of us who should have access do, and those who don't  
> need it don't have it. The problem is that a lot more people will  
> enter the "should have" category if we cover the whole building --  
> Sunday school teachers, committee members, etc. Soon, if we have just  
> one password, it will be known to far too many people.
> 
> 	So, I decided maybe I ought to look into a Radius solution, so that  
> we could give each person their own account that could be revoked or  
> granted as needed. Anyone have any experience in such an  
> implementation? I'm thinking I'd go with an RHEL server to run it,  
> but Mac OS X Server is a possibility as well. They'd probably prefer  
> Windows 2003 Server, but it is bad enough administering Windows  
> clients, I do not want to administer a Windows server too.
> 
> 	Also, if this could be linked to some kind of total authentication  
> method that would cover Ethernet too, I'm game. It'd be nice if we  
> could make it necessary to have a user ID to use the wired Ethernet  
> jacks around the building too. I'm not familiar with the options in  
> that direction, though...
> 
> 	Suggestions? Tips? Notes telling me I'm insane?

It depends a lot on the amount of maintenance that you want to take on.
 If you put in a Linux server you could do the following:

1. Keep the WPA if you don't want open wireless.  For those that want
access, they have to come in to the office and sign some type of
Computer Usage Agreement (which would contain items on acceptable usage
and monitoring of that usage).  While there, the computer could be setup
with the key (not giving it to them, but some trusted person doing the
setup).

2. Use a DHCP server on the Linux server rather than the wireless points
(setup the wireless in bridge mode).  Deny unknown clients (they'll get
a 169.x.x.x address which won't go anywhere).  You'll need a bridge to
connect the wireless to the wired network and make one network out of
the two (see: http://www.wi-fiplanet.com/tutorials/article.php/1563991
and http://tinyurl.com/hxdyz for ideas.)

3. Block outgoing port 80, 443, 3128, 8080, 20, 21, etc. on your
firewall for everything except the Linux server.

4. Setup Squid (Proxy) and DansGuardian (Web Filter) on your Linux server.

5. Setup Apache and a Virtual Host on your domain to serve a file called
wpad.dat. (Web Proxy Auto Detection - which is the same as the proxy.pac
type files from netscape, but MS changed it to wpad.dat).

6. When setting up the machines, set their proxy on their machine to
"automatically detect for this network".

Other options:

a. Rather than denying clients in DHCP, give them another subnet that
has a DNS that resolves every address to your linux server.  Have Apache
on your server show a default page with instructions on the steps
involved to get authorized to use the network (e.g. Fill out
application, Sign usage agreement, Have person "x" setup computer, etc.).

b. For accountability, in the application/usage agreement have them
authorize their spouse (or another person, if not married) to receive
the logs of their web surfing each month.  Pull these logs from
Squid/DansGuardian.

c. On the wireless, you could also add MAC authentication.