Re: Radius + wireless access
On Tue, 5 Oct 2004, Gabriel Granger wrote:
> I've got a couple of wireless AP around the office, and would like to
> mange the laptop with wireless cards using Radius for authentication.
> all of my AP have the ability to talk to a Radius server. I have got
> my radius server up and working using some simple test accounts, I've
> done some looking around everything seems to point to EAP. I might be
> wrong, but I thought EAP requires cert to be issued to the client
> machines. I want a simple authentication system, so that office
> workers can gain access anywhere in the building but also so that
> trusted clients can gain access too with out having to had out
> certs(just give them a username password)
> Am I thinking about this the wrong way? is it possible to just
> wirelessly authenticate users based on a username and password like you
> can with dialup users?
from what i seen ... depending on the wireless setup
- once a wl card finds an ap and associates with it ...
- it can go live on the wire unless there's soemthing else
blocking its connections
( live on the wire is surf the web w/o any login info )
- assumes that you have dhcp runnng as most people do
( a extreme bad idea for the above reason )
- if the association to the AP is step 1, and you need authentication
to go live, means that you turn on ssh and a firewall to allow
that new host to go live
- radius adds more complications .. too much work
- ssh login is good enough
- i use static ip# ... i like to know who it is
- once ssh presents a login: screen ..
than it can updates the firewall rules or even a web-based
- remember... they can surf the web or see your wl gateway
webserver without logging in unless:
- you prevent that by not using dhcp
- you prevent it by using a dynamic firewall
- you prevent it by a login requirement first
- they are able to see all packets ...
- use a linux based AP ... so you have the flexibility
and control vs the generic AP off the shelf which allows
anybody to do anything via the web gui that most people
never change ( 1/2 the people, aka average consumers )
- if you want eap ... it implies you are using WPA for the
wireless encrypted packets instead of WEP encrypted packets
- too much work ... and too many incompatibilities
- use a netgear AP w/ wpa with a netgear pci cards
and do not mix manufacturers unless you like being
their testing and qa lab for them
same for linksys, dlink, cisco, ...
- wep or WPA makes no difference ...
- always use ssh ... so if they do break your wireless
encryption, all they sse is oyur ssh encrypted traffic
- always use secure pop3, secure imap, scp(not ftpp)
... on and on ..
for more wireless fun ...