A Solution For Making WiFi Cost Effective

rkohutek writes "This whitepaper came out of my employer's desire to deploy high speed wireless internet to an underserved, mostly rural area. Although very easy to do on the ground level, I found it to not be a cake walk when it came to actually making it a viable network case -- in a "normally" deployed wireless network it is very easy to spoof an IP or MAC address and hop on the network and get free bandwidth. This is not acceptable and the acronym WARTA, Wireless Authentication, Routing, Traffic control, Accounting was thought up to cover the things that we needed to do. Read on for how we managed to make it work using Free Software: HTML or PDF." Update: 06/07 20:42 GMT by T : He sends along word of this mirror as well.

Mirror

[rkohutek]

As an article poster, I saw that it was gonna get hit pretty hard, so here's a mirror:

http://129.19.75.194/~jakalowiw/warta/

Cheers,
Randal

Assume the network is insecure

[Megor1]

Just like with 802.11b you might as well assume the wireless part is insecure and use something like an SSL pipe to actually connect the user to the net.

Solution

in a "normally" deployed wireless network it is very easy to spoof an IP or MAC address and hop on the network and get free bandwidth.

At my school anyone with a wifi card can get onto the network, but it just takes you to a web page where you have to put in a userid and password to access anything else on the network and the internet. They never ask for any information about your computer such as MAC address.

Re:Solution

[isorox]

Hmm, what about coverage though? Regulations in the EU are a lot stricter (max 100mW EIRP for example, the 'A' zone - america etc, can do 4W EIRP, so you can legally stick a 13dB antenna on a 100mW access point. In the EU, you cant. Theres also issues with deliberatly broadcasting outside. I want to push wireless 6 miles from town to my (future) home, but as

1) Thats in Greece. I speak 27 words of greek, and I dont want to try and explain the technicalities of it if the greek radio agency come round
2) I'm only 40 degrees off some massive radar military dishes. I dont want to explain the technicalities of it if the greek radio agency come round in a tank with machine guns

(Maximum legal power / gain)

Any links that are more specific on the legalities across Europe (which I would assume are the same) would be appreciated.

Re:Solution

[rkohutek]

We partner with a local HotSpot provider called Unwired Access (http://www.unwiredaccess.net) that does this, and this is how it works:

The *nix machine by default denies all traffic and null routes everything, except for clients going to the login page. JoeSixPack fires up his machine, leases an IP from the *nix machine. He fires up his browser, and the *nix machine automatically forwards all HTTP requests to the local login-portal. JoeSixPack signs in, the *nix machine authenticates, then pokes holes in the firewall for that client and starts up timers and whatnot. As soon as JoeSixPack signs off, the *nix machine closes the firewall holes.

You could use SSL forms and authentciation and such, but tying all that into RADIUS auth/accounting would require some custom programming, but this setup also has a lot of room for abuse as there is no per-packet encryption, no tunneling, nada.

randal

Re:How to make WiFi Cost Effective.

[ward99]

It was shown in Wargames, but it didn't "Come" from it. People had been doing it (and calling it that) for at least several years before. This solution is interesting - I'm trying to get a WiFi network up locally to support a local AE beta. One of the concerns in starting a big WiFi project locally has been addressed by this artical.

Built to be vulnerable...

[no_mayl]

This Article on Radius has a section on vulnerabilities.
And it does seem pretty weak against snooping during the authentication phase.
Somebody mentioned tunneling via SSL. Right on dude.
--
jpa

Re:AirSnort the PPPoE authentication?

[rkohutek]

We utilize CHAP primarily with PAP as a backup. CHAP offers end-to-end encryption of the authorization session, while PAP does not.

Cheers,
randal

Re:Just a question:

[rkohutek]

On our side, the actual tower itself is pretty cheap. We started out with a single T1, (we're waiting on our third one to go in next week), $350 install for that, $250 for a used cisco 2501 + dsu/csu, we already had the AP and antenna laying around. And our tower is $200/mo ... so, the physical setup was, in total, maybe $900? CPE is running us right around $150-200, depending on which model is required.

The OSS backend, though, is what I usually spend my day maintaining. Mail servers, billing, customer management, all that stuff ... man. I spend probably 20 hours a week upgrading / tweaking / maintaining. I'm sure that to startup, you could do it all for free with OS stuff, but it would take a lot of work. A *LOT* of work. Especially making everything tie together -- that's the really hard part. So to answer your question ... that's the really, really expensive part.

randal

Re:AirSnort the PPPoE authentication?

[miu]

Slightly OT, but CHAP is not encrypted, the password is never sent, just challenge/response. (If I give you this challenge what will you give me back, does it match what I computed the response should be for the password I have for you on record with the challenge I gave you.)

Also, the entire auth session is seldom encrypted, LCP takes place in the clear, as does RADIUS

Re:McDonalds and Starbucks

[swv3752]

They used a simpler solution: PPPoE.