FreeRADIUS, NMAS, and wireless (802.1x) Networks

  • 3714126
  • 28-Sep-2007
  • 16-Mar-2012

Environment

FreeRADIUS
Novell SUSE Linux Enterprise Server 9 or 10

Situation

This document describes the relationship of a RADIUS server in conjunction with a wireless network authentication, referred to by it's IEEE specification of IEEE802.1x (referred to as Extensible Authentication Protocol, or EAP, throughout this document).

Resolution

When performing a wireless authentication, there are three separate entities :
  • The workstation- this typically has a Network Authentication mechanism installed
  • The access point orswitch- this is what the workstation is connecting to, and is pointed to a RADIUS server.
  • The RADIUS server - this device is what grants or denies access to services using the RADIUS protocol.
The server must be able to use a protocol that the client can use. If the server is not capable of the protocol, the clients will not be able to authenticate. For this reason, the NMAS Radius NLM on NetWare will not work - it can only work with PAP and CHAP requests. The relationships of RADIUS protocols are :



The majority of EAP extensions require having the password in plain text on the RADIUS server side. For this reason, the source of the authentication credentials should be protected, using permissions, or authorization.

In the case of the FreeRADIUS package included with SUSE Linux distributions, it has been compiled with the appropriate options to allow authentication against an eDirectory server. Instructions on how to do this can be found using TID 3009668 for additional information.