Slashdot Mirror

← Back to Stories (view on slashdot.org)

Controlling Access to Wireless APs?

Posted by Cliff on from the authorization-required dept.

pvera asks: "A friend-of-a-friend-of-a-friend is thinking of offering wireless internet access at the medical conferences that he organizes. He already has people that can help him setting the access point itself and the connection to the internet, but he does not know how to control access. I am a T-mobile hot-spot subscriber, and my service uses some sort of proxy that does not allow me to surf thru their network unless I authenticate on a page that comes up regardless of what my home page is set to. Once I am authenticated then the proxy is transparent to me. Here in Arlington, VA there is a company called iSurf networks that has the exact same setup as T-mobile, only they sell their service thru pre-paid cards. The cards are just like phone cards, your scratch a strip in the back to have access to the account id and the password. While you use the connection it shows a pop-up with a count-down display so you know how much time is left in your card. Does anyone know of a commercial or open source product that allows this functionality? Or of a company that provides an outsourced solution to do this?"

10 of 30 comments (clear)

  1. might try... by Hubert_Shrump · · Score: 3, Informative

    Sputnik?

    --
    Keep your packets off my GNU/Girlfriend!
  2. NoCatAuth by Omega+Hacker · · Score: 4, Informative

    NoCatAuth

    --
    GStreamer - The only way to stream!
  3. Why make it dificult by MerlynEmrys67 · · Score: 2, Interesting
    It is a short conference... why bother, put a 64 bit WEP key that you hand out to participants. How many people do you expect to "steal" the bandwidth anyway. If you are concerned, run a Top N talkers through your RMON MIB on your router, and if any of the top N talkers aren't conference participants, put a MAC address filter in the access point.

    The IETF has been providing wireless service to conference participants for years now, wide open, you can use a key if you want to, but most people don't.

    --
    I have mod points and I am not afraid to use them
  4. IPTables rules + Apache by Brian+Hatch · · Score: 3, Informative
    Obviously you need to have a firewall that is available from the wireless network. Configure this machine to give out DHCP addresses so the wireless network is effectively in bridge mode.

    When a machine joins the network and gets an IP address and attempts to hit a website, it will attempt to go through your firewall. You'll want to have this machine redirect the connection to a webserver on that machine that shows a "authenticate in some way, shape or form." Using whatever logic you want, it decides to allow this machine to go out the firewall unstopped. You could probably have this program write the IP address to a file or database or something.

    Some other process picks up that there's a new machine that should be granted access, and it creates a new iptables rule to allow it unrestricted outbound access, thus bypassing the "redirect everyone to our 'authenticate' page".

    Now the next issue is how to keep a new person from using this same IP address. You could watch for MAC address changes and remove the iptables rules if the MAC changes.

    This is a bit hasty response - heading out the door.

  5. Re:but it's microwave... by Twirlip+of+the+Mists · · Score: 4, Interesting

    There's a funny story that's completely unrelated to but vaguely reminiscent of this. (Let's let the "off-topic" and "interesting" mods fight it out.)

    WFAA-TV in Dallas, TX, was one of the first TV stations in the country, if not the first, to turn on its HDTV transmitter. It did this back in 1998.

    Dallas is also the home of Parkland Memorial Hospital, a giant hospital complex. Some of you may remember Parkland as the hospital where President Kennedy was pronounced after his assassination in 1963.

    Parkland Hospital has a giant cardiac ICU, as one would expect of a giant hospital. In the cardiac ICU they use wireless telemetry systems to monitor patients' hearts. Instead of having a 12-lead EKG monitor by each patient's bed and sending nurses around to check them, they put the leads on each patient and then connect them to a little battery-powered wireless transmitter. The transmitter sends the signals back to the nurse's station where they can be observed by a human being more conveniently and safely.

    So back in 1998, WFAA flipped the switch to turn on their HDTV transmitter. And every single wireless cardiac monitor in Parkland went bat-shit.

    The long story made short, as it was explained to me, is that the company that made the wireless monitors was, either through negligence or some kind of honest mistake, using the wrong frequency. The frequency they were using was allocated by the FCC for digital television broadcasts. This wasn't a problem at the time, because there were no digital television broadcasts anywhere in the country. Until that day when WFAA turned on their transmitter.

    Ever since hearing that story, I've been a little skeptical about the much-lauded wireless revolution. Imagine if you will that the FCC, some years from now, reallocates the 2.4 GHz band for some other use. All the gear that currently uses that band, from microwave ovens to cordless phones to Bluetooth gadgets to your laptop, these things aren't just going to disappear.

    Oh, trouble's a'brewin'.

    --

    I write in my journal
  6. DIY by Permission+Denied · · Score: 5, Informative
    Here's how these products work (and a way to build one yourself):

    The AP is hooked up to a FreeBSD box. The FreeBSD box runs NAT and DHCP. When the box sees a DHCP lease request from an unkown MAC, it gives the client an IP and puts the client in a "sandbox" network. This "sandbox" network redirects all IP packets to port 80 on the authentication server (two different ways to do this - either with dynamic ipfw rules, or directly through divert(4)). The authentication server asks for a username/password. Since you write this stuff yourself, you can integrate it with LDAP/Kerberos/flat files, etc. You can even get creative and set the password to something you print out on a receipt so the clients have to "buy" time from you, with the POS computers hooked up to the auth server, etc.

    Once the client authenticates, you modify the ipfw rules that redirected packets to the local machine so that packets run through the normal NAT stuff. You can also set up a cron job to delete stale entries so people have to re-authenticate every now and then.

    If you do this with ipfw, it's just a couple rules. I ran into some problems doing it this way, so I wrote a little C program that directly inspected packets and passed them along using FreeBSD's divert(4) interface. (I get paid to do these sort of things for people, so the code ain't mine to give away and it would be pretty useless anyway since there's a lot of coding and admin work involved in integrating it).

    For real security, you'll need to pass all packets through such a custom program anyway, so you can inspect whether or not that particular IP (given from a DHCP lease) has authenticated recently. You'll also need an AP that passes along MAC addresses unmodified. I know Cisco Aironets allow you to do this, and I know Linksys APs don't (Linksys APs are based on a Lucent chip that's used in lots of other APs like the Apple Airport).

    Note that someone with enough expertise can sniff the network, get a valid IP, DOS the real client, and then impersonate the already-authenticated MAC and IP. All systems which work in the way you described are vulnerable to this type of attack.

    Not a whole lot you can do to fight this; however, a while back, some guy submitted a paper to Slashdot about how you can tell if someone is spoofing a MAC based on some peculiarities with how most 802.11b cards handle a sequence number in the 802.11 protocol. I'm guessing his paper is new enough that none of the people who sell these pre-built systems implemented his idea, but if you do your own, you're free to implement whatever you want. Note that using this is still not foolproof (search my posting history for an example of an attack against a system which would use this idea and for the link to the original article).

    Basic conclusion: there is no bulletproof system which does what you need. If you implement it correctly (with an AP that passes along MACs unmolested in bridge mode), it makes it more difficult, and if you implement the anti-spoofing thing I mentioned, it just ups the bar even more, past the level of the script kiddies. Judge your security needs: such a wireless access system can be good enough if you ensure your confidential data is behind a real authentication system and is never sent over the wire clear-text. If you're worried about someone (someone capable) stealing 'net access from you, you should probably stay away from wireless.

    You seem to be looking for a pre-built system that does this sort of thing. Although I'm sure someone is selling this sort of thing, it's probably not popular because there are so many variables involved with integrating it into your existing infrastructure (cabling, routing, authentication systems, etc). Generally, you would get a competent consultant to build something like this for you if you don't have the requisite programmers and networking gurus. If you want to avoid the consulting fees, pick up some Richard Stevens books to learn networking and programming, and start running -CURRENT to learn proper system administration :)

    Have fun.

  7. one way, or the other... by TheSHAD0W · · Score: 2, Informative

    If you want to restrict access, the best way (IMHO) is to set up a dedicated routing machine running some Unix variant, acting as a firewall between the APs and the net at large. Users can then log onto that machine using PPPOE or PPTP (depending on whether you want to encrypt the links as well).

  8. new topic/icon by DiSKiLLeR · · Score: 2, Informative

    Oooohhh its a new topic/icon. First story ever posted under 'software'.

    --
    You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
  9. Look at what Stockholmopen.net did by snowtigger · · Score: 2, Informative

    In Stockholm (Sweden), there is actually a project which is exactly what you are looking for. They have access points in different places and a common software for authentication. You get an ip-number automatically and must then authenticate on a webpage before connecting to the internet. It supports kerberos authentication too.

    Basically, it's a system designed to offer a wide coverage by little means and cooperation.

    Everything is at www.stockholmopen.net You can download the software here too.

  10. Re:but it's microwave... by bill_mcgonigle · · Score: 2, Interesting

    The long story made short, as it was explained to me, is that the company that made the wireless monitors was, either through negligence or some kind of honest mistake, using the wrong frequency.

    I suspect they weren't really using the wrong frequency, per-se, rather, their frequency was a harmonic of the HDTV signal, or vice-versa.

    In keeping with the best practices of the regulatory state, some genius decided that Medical Devices are exempt from RF shielding requirements. And every radio geek knows that every transmitter also an antenna. So, you take a medical wireless radio transmitter, don't sheild the thing, then turn on a honkin' transmitter nearby, and everybody is surprised when things stop working. <whine>But it's FDA approved!</whine>

    On the bright side, when cell phones first started becoming popular, the hospital where I worked did an audit. Net-net: don't get within 4 feet of a respirator when you're broadcasting, but everything else is pretty much OK.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)