martin f krafft wrote: > I am faced with the challenge to secure access to a WLAN beyond the > WEP crap. In fact, what we would like to institute is a login-based > method in which users have to authenticate with the gateway before > being given access. The solution must allow for encryption of the > channel and be compatible/usable with Windows, even without admin > rights. I would definitely take a look at port base access (802.1X) and use authentication based on EAP tunnelled by TLS. You basically need three things for this: 1/ Something that provides access to some (V)LAN to some client; the authenticator (this can be a switch or an accesspoint) 2/ Something that wishes to gain access to a LAN; the supplicant (a piece of software on the client that does EAPOL) 3/ Something to handle authentication; the authentication server (RADIUS) 802.1X is in fact user based network access. You are very flexible with authentication and it allows you to implement guestusage if you wish because you are able to appoint VLAN membership based on who someone is or to what group somebody belongs. The standard also provides means to secure a WLAN by flexible appointment of encryption-keys to users; you just let WEP keys rotate quickly so there is no time to crack them. Henk -- Henk Roose <Henk.Roose@cwi.nl> CWI - Centrum voor Wiskunde en Informatica Centre for Mathematics and Computer Science Amsterdam (NL)
Attachment:
pgpVcigsKZtT8.pgp
Description: PGP signature