After 2 days of playing around, trying to get RADIUS talking to our Open Directory server, we have chosen a different tack, and solved the problem using Apple's own RADIUS installation.
The main problem was that Apple's Open Directory doesn't include some standard LDAP attributes (such as memberOf), meaning that we couldn't interrogate a user's LDAP record and determine their group memberships - we want to restrict access to users in the group "wireless". Since I didn't want to alter the structure of Open Directory (Bad Things [TM] might happen), we were almost resigned to the fact that it wouldn't work.
But then, we discovered how to 'tweak' the RADIUS server provided with Mac OS X Server 10.5 "Leopard", create our own SSL certificate, and use Apple's own restrictions to limit access to the RADIUS service...voila! A working 802.1x system. The problem here was, that Apple's RADIUS implementation only supports AirPort Base Stations, so we had to implement some workarounds to get it working with our HP ProCurve wireless controllers.
This command was useful for generating the DH Parameter file for TLS: "openssl dhparam -check -text -5 2048 -out dh", while this link was handy for getting RADIUS working correctly: http://www.macosxhints.com/article.php?story=20071130134610850
Only things remaining to do are look at restricting the times of day that students can use the new WLAN, and to come up with an Application form to join the network, and a "howto" to show students how to connect the network. We may also have to look at a Proxy Auto-Config so students get the correct web proxy settings at home and at school.
Wednesday, June 3, 2009
Subscribe to:
Posts (Atom)
