wireless authentication and ldap

[xSauronx]

My work-study boss (community college) has given me a research assignment but Im kinda lost on where to start, as I have zero experience with any enterprise type of wireless authentication. Currently there are several 3Com WAPs scattered in a few buildings around campus. Theyre all on a VLAN segregated from the campus network and get internet access from a separate DSL line from what the rest of the campus uses.

But theres no real security, no encryption, no firewall, no web filtering. After entering a generic username/password when you connect to the AP (and then subsequently have to add an exception for a certificate) the wireless is open and uncontrolled/regulated.

The admin wants it secured and would like to use the LDAP database (we used Novel eDirectory here, currently) as the basis for authentication and end up running it all through Websense and the firewall and add the DSL line to the firewall with the metro ethernet connection he has.

Googling around for radius with ldap seems to get me some info, but is that a proper/straightforward way to do what he wants for authentication or do I need to be looking into something else?

 

[imagoon]

Typically you start with an enterprise grade wireless system that is able to authenticate via LDAP. Cisco Aironet / Aruba are examples. The better systems have a central controller that does all the work and the AP radios act like dumb units.

 

[spidey07]

You'll need a radius server, you already know that. Then just pick what authentication protocol you want to use. I'd suggest wpa2/aes with PEAP and get a public certificate. You may already have a radius server running. Check the AP configuration to see where they're going for auth.

 

[xSauronx]

i dont know that theres a radius server running, unless thats whats running to cover the sole generic logon thats currently used.

the admin was supposed to be funded to buy radios, and more radios and a license for the 3com management software (he has a couple old Cisco WAPs somewhere, i think, but doesnt use them afaik) but...he only got a few radios, no more, and no license for the management software. he *wants* the license, but given the budget cuts, has trouble getting money to even get the phone lines repaired at school.

ill just look into the radius thing. does server 2k3 have something that can run that with an LDAP db other than AD?

/so outta my league

 

[SammyJr]

This sort of thing is pretty trivial with AD. Set up an IAS/NPS server, configure and add WAPs as RADIUS devices, configure PEAP/certs. Done. Takes like 15 minutes plus cert ordering time.

With eDirectory, you could set up FreeRADIUS on Linux to do what you need to do. Its doable, but its not easy like the MS solution. Novell might have a solution, too, but I get the feeling they're pretty much leeching off of Linux for most things these days.

Want to be a hero? Help your boss get rid of Novell. I'm the guy who is purging my employer of Novell and people positively adore me. Makes me want to be a full time Novell to MS consultant.