Re: Radius + wireless access

To: Gabriel Granger <gabe@pancentric.com>
Cc: debian-user@lists.debian.org
Subject: Re: Radius + wireless access
From: Alvin Oga <aoga@ns.Linux-Consulting.com>
Date: Tue, 5 Oct 2004 12:15:43 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1041005120104.10303A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] B08FA338-16E8-11D9-A2BA-000A95864E06@pancentric.com>

hi ya

On Tue, 5 Oct 2004, Gabriel Granger wrote:

> I've got a couple of wireless AP around the office, and would like to 
> mange the laptop with wireless cards using Radius for authentication.  
> all of my AP have the ability to talk to a Radius server.  I have got 
> my radius server up and working using some simple test accounts, I've 
> done some looking around everything seems to point to EAP.  I might be 
> wrong, but I thought EAP requires cert to be issued to the client 
> machines.  I want a simple authentication system, so that office 
> workers can gain access anywhere in the building but also so that 
> trusted clients can gain access too with out having to had out 
> certs(just give them a username password)
> 
> Am I thinking about this the wrong way? is it possible to just 
> wirelessly authenticate users based on a username and password like you 
> can with dialup users?

from what i seen ... depending on the wireless setup

- once a wl card finds an ap and associates with it ...
	- it can go live on the wire unless there's soemthing else
	blocking its connections
	( live on the wire is surf the web w/o any login info )

	- assumes that you have dhcp runnng as most people do
	( a extreme bad idea for the above reason )

- if the association to the AP is step 1, and you need authentication
  to go live, means that you turn on ssh and a firewall to allow
  that new host to go live
	- radius adds more complications .. too much work 

	- ssh login is good enough
	- i use static ip#  ... i like to know who it is

	- once ssh presents a login: screen ..
	than it can updates the firewall rules or even a web-based
	login 

	- remember... they can surf the web or see your wl gateway 
	webserver without logging in unless:
		- you prevent that by not using dhcp 
		- you prevent it by using a dynamic firewall
		- you prevent it by a login requirement first

		- they are able to see all packets ... 
	
	- use a linux based AP ... so you have the flexibility
	and control vs the generic AP off the shelf which allows
	anybody to do anything via the web gui that most people
	never change ( 1/2 the people, aka average consumers )


- if you want eap ... it implies you are using WPA for the
  wireless encrypted packets instead of WEP encrypted packets

	- too much work ... and too many incompatibilities

	- use a netgear AP w/ wpa with a netgear pci cards
	and do not mix manufacturers unless you like being
	their testing and qa lab for them
		same for linksys, dlink, cisco, ...

- wep or WPA makes no difference ...
	- always use ssh ... so if they do break your wireless
	encryption, all they sse is oyur ssh encrypted traffic

	- always use secure pop3, secure imap, scp(not ftpp)
	... on and on ..

for more wireless fun ... 
	www.linux-wireless.org

c ya
alvin

Reply to:

References:
- Radius + wireless access
  - From: Gabriel Granger <gabe@pancentric.com>

Prev by Date: Re: Installing from net with floppy disks - syst em don´t recognize my hard disk
Next by Date: Re: Nvidia + 2.6 kernel
Previous by thread: Radius + wireless access
Next by thread: Adding folded headers in Exim 4.
Index(es):
- Date
- Thread