简体繁体 English

Freeradius中的认证协议

[英]Authentication Protocol in Freeradius

原文 2014-06-05 12:05:00 0 1 authentication/ protocols/ freeradius

I want to setup a radius server for my college of around 2000 students and a hundred faculties. 我想为大约2000名学生和100个系的学院设置一个Radius服务器。 I am familiar with freeradius + MySQL but never deployed it except for in on my laptop. 我对freeradius + MySQL很熟悉，但是除了在我的笔记本电脑上以外，从未部署过它。

Which Authentication protocol should I Choose if my Considerations are 如果我的考虑因素是我应该选择哪种Authentication protocol
Easy for Users to Connect to NAS , Easy to Setup for the Users.(w/o 3rd party softwares). 易于用户连接到NAS ，易于用户安装（不带第三方软件）。
Can I use WPA2-personal ? 我可以使用WPA2-personal吗？
Is Certificates necessary and if so how can I implement it? Certificates是否必要？如果需要，该如何实施？
Is there any particular EAP flavor that is supported by both Windows and Linux? Windows和Linux是否都支持任何特定的EAP风格？

1 个解决方案

The only protocols which match your requirements are EAP-TLS and EAP-PEAP. 符合您要求的唯一协议是EAP-TLS和EAP-PEAP。 They are pretty much universally supported by all supplicants. 他们几乎得到了所有请求者的普遍支持。 EAP-PEAP uses username/password as credentials whereas EAP-TLS uses client certificates. EAP-PEAP使用用户名/密码作为凭据，而EAP-TLS使用客户端证书。
No. you should use WPA2-Enterprise. 不，您应该使用WPA2-Enterprise。
No. Not if you use EAP-PEAP. 否。如果您使用EAP-PEAP，则不会。
EAP-PEAP and EAP-TLS are supported by both. 两者均支持EAP-PEAP和EAP-TLS。

Note: For EAP-PEAP you either need to have the NT-Password hash of the user, the user's password in cleartext, or an Active directory server which you can auth against. 注意：对于EAP-PEAP，您需要具有用户的NT-Password哈希，明文形式的用户密码或可以进行身份验证的Active Directory服务器。