Slashdot Mirror
Microsoft and Wireless Authentication
An anonymous reader writes: "Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP. [ed. note: it's a draft standard] Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows. My question is, since PEAP is dependent upon the Windows EAP-TLS infrastructure, are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS? Sifry's has some good commentary and links. Opensource wireless hackers, are you working on this?"
Meanwhile other companies use things like iPod to lure users.
It's just a fucking draft (not completed might I add). Christ my grandma could post a better article.
I think the more logical approach is rather to more thoroughly develop the existing standing LEAP. Just because MS made a new standard doesn't mean that everyone has to use it.
/are/ the only ones to use it, it doesn't even benefit them.
Seems to me it is a much more efficient use of man-power to just ignore it; maybe it will go away. I don't see why Cisco would invest their time in money in making themselves compatible to a competing technology. The only one who benefits from it is MS, therefore, they should be the only ones to use it. And if they
Freedom is the freedom to say that 2 + 2 = 4
Opensource wireless hackers, are you working on this?
*Yawn*
No, we're not. Can I go back to sleep now?
"Microsoft's been working on a new, secure authentication standard...."
Hopefully, "secure" implies slightly more secure than Windows 98 "secure". I wouldn't count on it, though.
secure authentication [...] dependent upon the Windows EAP-TLS infrastructure
Just by the sound of it it doesn't look very secure to me.
Likely MS will get it considered a "standard" because of the large desktop market share.
Microsoft is going to beat companies and individuals about the head because 95 % of users rely on their desktop. Plus they got all the good fonts.
"Even if God himself came down here and played on our team it wouldn't matter because all the really good looking girls would go to camp Mohawk."
"never met a Microsoft zealot"
Microsoft supports its proprietary NTLMv2 on Mac OS X (http://www.microsoft.com/mac/products/win2ksfm/de fault.asp) so they might also support OS X for this.
47% of all statistics are made up on the spot.
it's foolish to worry about. If there's hardware encryption, it's gonna stick better than software encryption from microsoft. Microsoft has a big (but non-monopolistic, of course) market share, but not enough to oust a standard my cisco, in my (uninformed) opinion.
My answer is, it won't become a standard unless companies other than Microsoft support it. Besides, there is a big difference between "a standard" and "the standard". I'd be curious to know how many of "the standards" (HTTP, TCP/IP, etc.) require the use of proprietary technology.
Java is the blue pill
Choose the red pill
I just got a neat flash from my crystal ball. There was a shot of a Microsoft Executive saying:
'Well, you cannot blame us for weaknesses in our cryptographic technology - we called the protocol 'PEEP' for a very good reason'
The only truely good Microsoft networking technology has been stuff that they outsourced, bought, or stole from others. Point this to your pointy haired manager, along with all the nasty stories on the net about 802.11b and the cash-hoovering technologies people are promoting to make this appear to be secure, and the idea will die.
Is that like a newer version of OS/2?
Wow are we gonna have crummy articles posted everytime MicroSucks is scheming and planning something. Vaporware as far as I'm concerned...
There's an open source effort that supports 802.1x with EAP-TLS (http://www.open1x.org). One could probably extend this to work with PEAP, if needed. But there are other protocols that may "win out", such as TTLS or LEAP.
Did anyone actually that post?
Some of the people from the FreeS/WAN team have been working on WaveSec. Wavesec uses IPSec, a well known and trusted standard, to secure the radio waves.
-- bartman
Why add new software when there is software that will handle this already. The wireless link is just as unsecure as the internet, 802.11b should always be placed OUTSIDE of the firewall (w/ firewall protecting your private network). Why is this so hard?
Looking for any old 8-bit Heathkit/Zenith software/hardware - http://heathkit.garlanger.com
From my quick scan of the actual IETF draft, it takes the existing PPP authentication model and wraps it in TLS for security, which seems like a reasonable quick-fix. Given that it's being run through the IETF, which from a quick search, LEAP isn't, it would seem to me that PEAP is the better option of the two...
EAP-LEAP is one of the worst attempts (after basic WEP) at developing a protocol to secure wireless communications. Better to do IPSec through a VPN than to use it.
EAP-PEAP is not just a M$/Cisco standard (but they are major backers of it). There are four/five documented security problems with PEAP, the worst of which is some nefarious individual being able to take over your roaming session with almost no effort (especially with Cisco's beta implementation). Read the RFC if you want to verify. Word of caution to all wireless freaks: PEAP is probably going to be what you'll be using to roam between 802.11b "cells" when they start popping up all over (AT&T - amongst others - has plans...big plans...). Keep your ssh tunnels at the ready if you ride those etherwaves...
EAP-TLS's major shortcoming is the reliance upon a PKI infrastructure (how many of *you* have certificates?).
The only real way out (at the moment) of the wicked mess that is wireless networking is EAP-TTLS. It has the strong security of the encrypted communications of EAP-TLS without the need for certificates for authentication and handles roaming much more securely than EAP-PEAP.
Unfortunatley, M$ and Cisco have embraced EAP-PEAP as the be-all, end-all of secure wireless communications. What we need is for some good developers to make stacks for Windows, Linux and MacOS so we can avoid being stuck in an insecure purgatory. Then again, Microsoft seems to encourage insecure wireless networks the way their interface to 802.11b networks is designed. I'm sure they (and lots of other large organizations) would love to see us use the most insecure method of wireless communications possible.
Truth-be-told, it takes a great deal of horsepower in AP's (read: buy new h/w) and also takes some back-end systems to support EAP-PEAP or EAP-TTLS, and I doubt we'll see entries from Linksys or D-Link (and if we do see all-in-one solutions from them, it's game-over for security anyway). So there won't be a big saturation in the home market (where most of the wireless $$$ are going now).
Smart Fortune 500's use VPN's on top of WEP (or the forthcoming next-gen WEP standard that rotates keys much more frequently) if they use it at all. The NIST (www.nist.gov) has all but told the government to just say "no" to wireless networks in any branch/office.
I realize the point was to make sure we have tools in Linux so we aren't left out of wireless networks that employ EAP-PEAP. I say we try to ensure folks use the best possible technology *or* support multiple EAP subtypes (since there are lots of them and they're always adding more) and employ a method of restricting types of traffic on connections that had to use weaker (or no) authentication (i.e. WEP or LEAP? - need to use VPN... PEAP/TTLS? - maybe ok enough to go ahead w/o).
Mind the gap...
If you read the article, it has been submitted to IETF and has been authored by people from RSA, Cisco and MS. If it does become a standard, hopefully most of that "old" non-supported equipment can be updated/flashed to make it work.
With the original security holes in basic wireless, our company waited until we could roll out Cisco's LEAP. As a company that is a Microsoft and Cisco shop, LEAP integrated wonderfully with Active Directory and had a client available for every device we use.
So with already seamless use, not to mention NOT requiring certificates on our access-points, why would a company want to use PEAP over LEAP? I can see companies getting burned buy starting out with PEAP to only later to move to LEAP.
I remember (vividly) when TCP/IP didn't ship with MS OS's (or Mac either). Their were several third party vendors that implemented the standards.
They were universally difficult to install and poorly integrated. The day MS released the beta of Wolverine (TCP/IP for WFW) was a very, very happy day. This implementation was different than most other vendors (VxD based if memory serves me right). It also had MS specific overtones in how it was implemented (putting it mildly). It also stomped out most other established standards within a year.
Quick survey -- who here uses an IP stack other than MS's on a MS supplied OS?
I see all these wireless hubs being sold at consumer electronics stores because they are simpler than wired networks and I think 'is someone who regards plugging CAT5 cables into a hub to be 'too complicated' going to be able to set up any security that is not completely out of the box? These are so wide open they might as well include in the box a warchalking decal to stick on your front window.
The funny thing is that if the wireless hub vendors DID get their act together on this then easy security would be a feature that would resonate strongly with the average consumer.
Remember how long the auto industry argued that requiring airbags in cars would kill auto sales?
For actually I that post, luser.
- This is a multi-vendor effort, since the first question every wireless equipment reseller gets asked during the first five minutes of any REAL customer presentation (i.e., the ones with geeks, in them, not fat corporate flunkies looking for a couple hours off and free pens) is: what do you have besides WEP?
:)
- Cisco in particular has been getting bashed for LEAP not being a real standard, not being open-source (ask the Radiator guys at open.com.au what kind of answer they got when they wanted to implement LEAP) and having at least two security loopholes (search slashdot for the info)
- It does NOT require deployment of a certificate authority. It depends on how you decide to configure your setup, and will work just the same as LEAP, but in a standardtized way.
- I have Cisco beta firmware (for Aironet 350) that implements this for two months now. It has a few quirks, but it's supposed to be stable come Q4 (i.e., in a couple of weeks now). It's a trifle slow, and seems to glitch on WEP key rotation.
(the real issue is not just two-way authentication, but authentication AND key management.)
- It's supposedly compatible with just about any 802.1x client (so Xsupplicant should work, but I couldn't be bothered to try)
- Apple already supports LEAP (so so), so full 802.1x/PEAP support should be forthcoming.
What you guys should REALLY be worried about (well, those of you who actually manage the networks you set up your boxes in) is the complete, utter lack of decent Windows 2000 support for this.
There is NO WAY everyone using WLANs (even Cisco ones) will migrate to XP (and I don't see any corporate moves in that direction on my side of the pond), and even less chance that your run-of-the-mill corporate user runs Linux on his laptop, so W2K support will be a hellish problem.
(It was supposed to be in the last W2K service pack, but since the "flagship" XP version isn't out, I guess we're at Bill's mercy.)
Oh, and did I mention time to market for non-Cisco vendors? And the AP-on-steroids you need?
Fast forward to today, and the SecureFast scheme is still the most secure. So it made sense to Microsoft to work with Enterasys to build a wire level authentication scheme into its OS. Christen it "EAP".
Cisco's LEAP is a derivative, and Funk Software has implementations that seem to be more robust (less propriatery).
The wireless aspect of it is in the news because that is perceived as the most vulnerable part of LANs today; but realize that these schemes work just as well for wired networks too.
"The most sensible request of government we make is not, "Do something!" But "Quit it!"
I know this may be a little off-topic but its kind of related.
So far for my honours project, I am proposing a driver based encryption for 802.11 cards that take advantage of the new WEP+ Sure you may say WEP is totally insecure, but heck I see it as a first line of defense. So far WEP+ takes approximately about 2 weeks to get the keys using air-snort and thats just a rumoured comment from a mailing list! No one has officially claimed to break WEP+!!!
The development project will be entirely under Linux and for Prism 2/2.5 cards. As for Microsoft's "DRAFT" standard proposal. My thoughts are with the majority, that is, it will scare off most medium to large inter-enterprise businesses.
It is a known fact that Bill Gates sold off most of his shares. Maybe it finally has begun (the dethrowning).
I bet we will see a troll in the next few months reporting "Windows is DYING" LOL
There are six other contributors to the Project. Microsoft and Cisco are there and while they are two mighty large behemoths in the industry there are several other people and orginizations with their eggs in the basket too.
The ed copy almost urges us to pour wood on the MS sacrificial pyre.
Any large outfit with software, hardware, anything do do with networking is gonna have their fingers in this pie. And MS or Cisco would have not been idiots to get on it. And both companied can put money and people on the case.
MS realizes UNIX(Linux)is a force and although they do not like, know they must coexist. The days of MS thinking they could destory us or over. But every crusade needs its zealots, and us on the Nix have em.
Hey if MS can do something to secure the MS networks I have to support, and it contributes to the community. Take their money, develop it, and we all benefit from it. I might get a weekend off.
Just a draft for a project with multiple backers. But is has MS in it so lets skew the editorial comment.
Truth in Journalism is hard to come by we all have learned to read between the lines.
We read the slashdot cause it compiles info from sources on the web we do not have go looking for. Neither time nor inclination. But referencing someone elses work, and then putting a slant on it is something else. It is cheesy. If you want to spin, learn to spin. Sometimes the articles here have all the intelligence of liner notes from 80's hair bands.
Puto
The Revolution Will Not Be Televised
There are some even newer IEEE (and IETF to a certain extent) proposals in the way to force authentication *before* your "device" is allowed to make its way past the physical connection (strange how this forces one to think of wireless as a physical connection - I know it is : waves/particles : but I can actually *see* the RJ45 connector and CAT5E cable *:^). *That's* when things get cool. Authenticate/authorize me before I even get the ability to sniff broadcast traffic then make sure everything thereafter is AES encrypted so even kismet and Ethereal won't even be able to watch ARPs and DHCP traffic.
Combine that with applying per-user/group ACLs that really make sure I can only go (at least initially) where I should and we start to have full-port security.
That might be what the Cabletron/Enterasys solution is...I need to check that out if so (many thanks for the post!)
And, as far as the most vulnerable part of the LAN goes: it's the end-user with a M$ workstation.
Mind the gap...
I that post, too. You didn't it?
There should be a moratorium on the use of the apostrophe.
Max V.
NeXTMail/MIME Mail welcome
pronounced pee-pee?
MS tends to support Mac OS, albeit poorly, with their various networking protocols, passports, etc. No doubt, the MacBU (Business Unit) at MS typically has to play catch up, it usually gets the job done. (I have a feeling that those poor guys are left out in the cold on a lot of things :))
As for linux though... I doubt MS want's to go out of the way to make linux users feel welcome.
However if things keep going the way they're going, open standards will always prevail. I would imagine that most WiFi router manufacturers would rather sell routers that function on all 3 major platforms right immediately (as the do now). Seems kind of dumb to sling hardware that only functions on Windows, with the possibility of mac support 6 months down the line, and little possibility of Linux support.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
Microsoft and security! Please ........
I just got my linksys wpc11 wireless pc card working under Red Hat 7.3. The drivers are available at www.linux-wlan.com/. These drivers do not support Microsoft's new standard. This may leave many people out in the cold because most wireless cards sold today are based on the prism2/2.5/3 chipset.
I never thought I'd hear those words in the same sentence.
Time to download Internet Explorer 6.
"All art is quite useless." -- Oscar Wilde
Unfortunately, SecureFast is on its way out. Enterasys got really burned because its competitor's (correctly) pointed out that it is propriatery. So they now don't release anything that isn't backed up by an IEEE standard.
This new stuff works with ActiveDirectory, so yes you do get full-port security. First, the machine has to get on the LAN (authorized MAC's only in the tightest security scheme); then, the user (logged in name) can get individual QOS / Priority traffic policies applied to their connection. Sweet.
Am I thrilled yet? No. Our shop is an NDS shop, not ActiveDirectory. (chuckle) I am told that Enterasys is working on that though.
Just as an example of what this can do for you, here is something we did in SecureFast when we had it: a rogue sysadmin put up a DHCP server on our net and started stomping on IP addresses we were handing out. We called him up and told him to shut off his DHCP server. He said he wasn't running one. We told him to shut it down or else. 24 hours later he was still running DHCP. So we put his machine's MAC in our "timeout" VLAN. Didn't matter which port he plugged into on any switch in our 1800+ user network - the port would appear dead to his NIC. (really, the port was live, but every packet went into the bit bucket). He never knew what hit him. We eventually got a work order to fix his broken 'ports'. Heh.
Sometimes it feels good to play BOFH. :-)
As a practical matter, sometimes you do need that level of control on your network. (I read my .sig in preview mode, and thought "Gee. If the guy got really ticked... hmmmm...")
"The most sensible request of government we make is not, "Do something!" But "Quit it!"
Yeah, today. It'll be one version behind all the time and then one day - who knows - "oh we're not making that for the Macintosh anymore...our customers dont' want that." It's the same reason why I wouldn't want anyone to port DirectX to the Mac. Rather we should all throw our weight behind OpenGL dispite any short-term gains that might be had going the other way.
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
So far:
M$ proposes improvement to wireless security. Bad!
Ci$co supports M$. Bad!
IETF in the pockets of M$ & Ci$co. Bad!
Open Source community cannot implement IETF standards. Bad!
Microsoft! Bad!
Ci$co! Bad!
No wireless security! Bad!
Slashdot users have no alternatives! Bad!
Slashdot users waste their time reading this! Bad!
In case Slashdot users need to hear it again. Microsoft BAD!!
Could this have anything to do with Microsoft's upcoming wireless products this fall? Wouldn't be just too convenient to have your own proprietary security standard for your branded wireless devices. This is the kinda crap I hate from MS :-(
Have a Happy.
Where do you want your data to go today?
It's a shame they didn't open it up.
The type of control/configuration would be extremely useful here (and not just for the annoyance factor *:^) I know Cisco has some similar stuff half working, but it takes a bit to prod our network folks to [breathe|bathe|do more than watch OpenView pretty colors change].
Very cool stuff nonetheless, tho...
Mind the gap...
"one of these things is not like the other, three of these things are kind of the same"
everybody sing !!!!
seriously - there ought to be a literary term for a sentence like that, oh wait there is, it's called
"Irony"
Why do we need new network security standards for WLANS? There are already standards for VPNs that fill the same need. From a security standpoint, a WLAN is about as secure as the internet. Why not just treat the WLAN as "the internet" and let all users to connect to it using a VPN standard that is already supported on almost all platforms. This seems to be a simpler and cheaper way.
Windows 2000, Windows 98/ME, and Windows NT 4. I haven't tried PEAP on Win2K yet, but TLS works just fine with it.
Frankly, I was stunned that they released NT and 98 support for it.
Part of how the LEAP protocol works involves custom information elements in Probe responses, and "cruft" tacked onto the association request and response packets. It's not a clean solution, and it's very proprietary. Sure, they'll let companies like Funk write backend AAA support for it, but the "bits in the middle" are kept under tight control. Don't count on ever getting LEAP running through a non-cisco Access Point.
go M$! monopolize everything! resistance is futile! w00t! ... bah.
LEAP is not a standard, it's Cisco's proprietary scheme, and is only supported by Cisco APs and authentication servers.
PEAP is an open standard, with Cisco as one of the main participants along with MS.
PEAP and EAP-TLS will be supported on downlevel Microsoft clients (NT, 9x, 2k)
PEAP can be implemented by any system supporting the required crypto, so there's no reason why Linux or Mac clients can't support it
PEAP is able to protect any embedded EAP-type, not just Microsoft's EAP-MSCHAPv2
But Linux? Thats not right. :-)
Passwords suck. More precisely, people suck at making and memorizing passwords. Here's an idea for secure authnentication without passwords:
I set up my wireless card until I can see the ID string of the network. I don't have any access yet.
I start the authentication client and type in a descriptive name for my machine.
I call the system administrator on the phone.
The system administrator sees my authentication request with the associated description and authorizes it.
That's all.
Why is it secure? The actual shared secret is generated by Diffie-Hellman key exchange or other method that is secure against sniffing. Theoretically it is vulnerable to a man-in-the-middle attack but in practice it is difficult to perform on a broadcast medium like wireless. Even if it is practical it is impossible to do it silently without raising suspicion - the attack attempts will be clearly visible on the list of authentication requests and the request must be authorized manually.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
I posted this in some other discussion the other day but.........
Why not just use IPSec? My co worker and I have been trying to figure out how to securely deploy 802.11b around the office and I came up with the idea of using IPSec. I'm the lone Macintosh island in a sea of Windows desktops and laptops at the office so I'm waiting for next week(when I get my copy of Jaguar and hence IPSec support) to really get to hack on this but the current plan is use an IPSec VPN(and throw WEP out the f'ing window) to secure the line of communication. I will set up either an OpenBSD, FreeBSD or Linux(preference in that order, yeah I know I've got a BSD partiality) firewall between the AP and the wired LAN and only allow traffic over the IPSec VPN. From my initial research I found some docs on doing wired IPSec communication but in theory that should apply to the wireless as well.
here's some useful links. I hope to be able to adapt some of the information to suit using OS X.
OpenBSD IPSec
FreeBSD IPSec
Windows 2000 to FreeBSD
DaemonNews Article
FreebsdDiary Article
After pondering the "secureness" of using IPSec in lieu of WEP I've come up with one weakness and one side affect since clients get DHCP addresses in the clear and any communication to the wired LAN is encrypted. Say jane sales chick shows up with her personal laptop and tries to use the wireless network in the office she gets a IP address but can't get into the wired net because she can't establish a IPSec VPN. Joe cust service has his laptop in the office too. he get an IP but gets blocked by the IPSec Firewall. as a side affect there is nothing stopping Joe and Jane from swapping music, warez or pr0n. The only weakness I can think of is that Johnny hacker could try to exploit one of the wireless clients(if there are any) and use that as a jumping off point to the LAN or to his/her credentials. Another thing I've given some thought to is depending on the overhead of IPSec you could take the onion skin approach making the side effect a little more difficult to non tech type(we all know how secure WEP is) by also using 64 or 128 bit wep in addition to IPSec.
Since this is all theory until next week when I get Jaguar, feel free to point out any stupid lines off thought, inaccuracies, etc. I've got going on here. If I'm successful I'll probably document it and post on the Web.
--
What is pirate software? Software for inventory of stolen treasure?
"
... ]
Protected EAP Protocol (PEAP)
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC 2026.
[
Expiration Date
This memo is filed as , and
expires August 22, 2002.
"
-- Terry
"Cisco already offers secure authentication for their own wireless gear with LEAP, and did an outstanding job of making this capability available for Linux and OS/X, as well as for Windows" As far as I can see, Cisco have never released the spec for LEAP, so its hard to see how they have done an outstanding job of supporting the Linux or opensource communities. LEAP is a proprietary, closed, secret protocol. All the available implementations are binary-only, non source commercial. And without the spec in the public, how can anyone be sure it really is secure? I think Cisco have let everyone down with LEAP.
Hey if MS can do something to secure the MS networks I have to support, and it contributes to the community. Take their money, develop it, and we all benefit from it. I might get a weekend off.
.NET, and any sort of "standard" MS has their grubby fingers in.
Hey, maybe if we appease the Nazis just a little more, they will back off. Collaboration with MS should not be tolerated on any level. This includes Miguel and his fetish for
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Come on, a standard to prevent wardriving called PEEP? Sounds like another product that will live up to Microsoft reputation for security.
Would you rather use a solution based on open standards, try Wavesec. It is mostly based on IPSEC, DHCP and DDNS.
-------
Warning: Slashdot may contain traces of nuts.
802.11's link and ethernet layer aren't secure, and if the underlying security issues aren't taken care of it won't help anything that's pasted to it. I don't care what is added to 802.11 I can still sniff out, and join any 802.11 network, by cracking wep with airsnort, then changing my MAC to an authorized MAC, then I can poison arp tables on the entire network the wireless device is connected to.
Huh? Did you actually read the referenced article? It explicitly talks about the potential dangers here to non-Microsoft systems.
Seems to me there are plenty of issues here that have the potential to affect Linux wireless access. We want to avoid a repeat of the winmodem situation, which in this case could be more severe because it affects access to networks, not just a local piece of hardware. The way to do that is to make sure information gets out early, along with awareness of the protocols, issues, and potential traps involved.
You describe yourself as "us on the Nix", but I have to wonder if you've ever touched anything other than Windows - otherwise, you might actually have some appreciation of the real-world problems of coexisting with Microsoft's perpetually broken stuff.
These extensions seem to solve the security holes in 802.11 but does anyone here (Slashdot audience reading an 802.11 story seems a good place to ask) know of any fixes or rival standards that allow reasonable streaming of information? 802.11's delivery model breaks down when you try to stream real-time media (we're trying audio/video) to 802.11 receivers. Basically the beacon system introduces too much latency and the broadcast bandwidth cap means that you can't use all of the available bandwidth.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
There is a reason why Cisco won't let folks see the exact LEAP specs without signing a NDA.
Without going into any details LEAP has a security flaw that makes it less secure than WEP.
Hopefully PEAP will turn out to be secure, because LEAP isn't.
"...are Linux and OS/X going to be left out in the cold as this new standard is pushed by MS..." Since when does Microsoft set standards?
geek n performer who performs morbid or disgusting acts, as biting off the head of a live chicken
Expiration Date
This memo is filed as draft-josefsson-pppext-eap-tls-eap-02.txt, and expires August 22, 2002.
BTW Simon, have you found any more year-old milk cartons in your fridge lately? :-)
Money for nothing, pix for free
I read all of the other comments, even the trolls.
I don't see anyone else pointing out that the draft expired the dat this story was posted.
What gives?!?
-- Terry
"Microsoft's been working on a new, secure authentication standard for 802.11b called PEAP.
l t. asp?url=/technet/columns/cableguy/cg0702.asp
Actually, MS is more than working on it. They've implemented it in WinXP SP1. See the July Cable Guy for more details.
http://www.microsoft.com/technet/treeview/defau
Steven
While there are issues with what goes into LEAP, the one that I keep having is the need for Cisco's ACS or Funks RADIUS server. I can find better things to do with $4500 bucks, but oh well.
The key item that LEAP lets me do is change WEP keys on a continual basis. Every 15 minutes my WEP key changes, so faster than you can get enough packets together and crack it, the key has changed. I have yet to see any other implementation that takes this route to secure things.
I don't believe anyone here will stand up for static keys, or MAC level filtering. Some people don't need the idea of having to use a VPN at the office (aka Exec's). So my choices are limited. Thankfully we've been using nothing but Cisco Wireless stuff, so the investment isn't as high.
Unfortunately, winmodems do affect network access. In many places, only telephone access is available to the internet.
Every time I have travelled in the past 8 years or so, the only way I could connect to the internet in my hotel room has been through my laptop's telephone modem. Fortunately, my laptop has a real modem.
If only newer laptops had real modems, I would have bought one. Because they don't have real modems, and because I won't use anything other than OpenBSD to connect to the internet, and because OpenBSD requires real modems, all of the newer laptops are useless to me.
This isn't a microsoft standard, folks, it is an upgrade to LEAP. CIsco is behing PEAP and will implement it across their line.