everything looks fine except for the WPA-PSK part. Use WPA with 802.1x authentication instead of pre-shared keys. Its more secure and makes overall management easier (want to lock a user out, just disable his account on the server; users can use the same password as they use on their VPNs or on your regular network, a new master-key is generated per session, you can allow users to login only at specific times or from specific access points).
The only problem is that authentication takes a wee bit longer than PSK each time, but unless you have users using voice-over-IP and walking around from access-point to access-point you wont notice any difference with 802.1x
> > $22 million in jobs or in dividends to stock holders.
> Do you think that shareholders stick their money in socks when they get it? I don't. I either invest it again (which creates jobs) or I spend it (ditto).
Nice. Its exactly this impression that the
rich want everyone to have. Screw the middle
class, and they dont even know it.
Check this out. our tax system now forces most Americans to subsidize the lifestyles of the very rich, who enjoy the benefits of our democracy without paying their fair share of its price..... The author exposes how tax cuts supposedly intended to help the middle class benefit the super rich far more...
Is this really new? Did'nt Joltage (even Nicholas
Negroponte was on its board) try the same thing and finally go under? After such a high profile failure and many not so high profile ones, not to mention the liability issues of sharing internet access [what if someone downloads child porn using your network, or breaks into some computers or shares music. Since you are NATing, RIAA sees your IP and comes after you!] , your service agreement with your ISP etc I dont think this model will work.
Granted Joltage gave only the SW, but the HW components are cheap enough that giving them free is also not going to help.
The 'hotspot business model' is just running around like a headless chicken...
While changing MAC address in a Linux system is easy, for Windows 2000 and XP based systems also you can use a tool like SMAC. http://www.klcconsulting.net/smac/
Couple this with ethereal (where you first sniff out a valid MAC address) and getting network access on a MAC based authentication scheme is trivial.
Also, 802.1x will provide you encryption and dynamic keys, something a simple firewall based solution wont be able to do.
Puneet
yes, the security it provides is worth it
on
Are You Using 802.1X?
·
· Score: 5, Informative
not using even WEP is simply asking for trouble, using basic WEP (pre-shared keys) is a little better, but its still vulnerable and has the hassles of key management (each time you change the keys you need to update all clients). 802.1x is the way to go.
There is some support on OSes for 802.1x (Windows XP has it built it for some authentication methods, for Windows 2000 you can download it from the Microsoft website, for Linux and BSD use xsupplicant (http://www.open1x.org).
One important consideration is what 'EAP method' you use for security. 802.1x is a framework for security and you can tie-in different methods within this framework for doing the actual authentication and key generation.
If you use EAP-TLS then there is can be a problem of configuring certificates on client machines, though its pretty secure once setup. You can use the cisco proprietary LEAP with Cisco AP's and clients or go for a solution based on PEAP or EAP-TTLS.
LEAP only requires you to have a user-name/password type of setup and can be easily tied to existing authentication infrastructure (Eg: the windows network in your LAB). PEAP and EAP-TTLS need only a username and password if you use MS-CHAPV2 or some such method, though you still need valid server-side certificates.
CHAP is prone to offline dictionary attacks, and
hence not really recommended for Wireless-type environments (which are much easier to sniff). Also CHAP *requires* the Radius server to have access to all user passwords in cleartext. If that server is ever compromised, *ALL* your passwords are compromised. You cant use/etc/passwd types of passwords (crypt, MD5, SHA1, other one-way hashes) with CHAP. MS-CHAP-V2 sort of addresses some of these issues.
-Puneet
actually Radius does not send the password in the
clear (even when doing PAP and not CHAP). The
password is sort of encrypted (simple XOR) using the shared
secret and some random bytes (authenticator).
Like CHAP, you can still perhaps carry out an
offline dictionary attack, but its not as simple
as reading the password in clear from an ethereal
capture.
-Puneet
Slashdot Mirror
everything looks fine except for the WPA-PSK part. Use WPA with 802.1x authentication instead of pre-shared keys. Its more secure and makes overall management easier (want to lock a user out, just disable his account on the server; users can use the same password as they use on their VPNs or on your regular network, a new master-key is generated per session, you can allow users to login only at specific times or from specific access points). The only problem is that authentication takes a wee bit longer than PSK each time, but unless you have users using voice-over-IP and walking around from access-point to access-point you wont notice any difference with 802.1x
> > $22 million in jobs or in dividends to stock holders.
> Do you think that shareholders stick their money in socks when they get it? I don't. I either invest it again (which creates jobs) or I spend it (ditto).
Nice. Its exactly this impression that the rich want everyone to have. Screw the middle class, and they dont even know it.
Check this out.
our tax system now forces most Americans to subsidize the lifestyles of the very rich, who enjoy the benefits of our democracy without paying their fair share of its price..... The author exposes how tax cuts supposedly intended to help the middle class benefit the super rich far more...
Is this really new? Did'nt Joltage (even Nicholas Negroponte was on its board) try the same thing and finally go under? After such a high profile failure and many not so high profile ones, not to mention the liability issues of sharing internet access [what if someone downloads child porn using your network, or breaks into some computers or shares music. Since you are NATing, RIAA sees your IP and comes after you!] , your service agreement with your ISP etc I dont think this model will work.
Granted Joltage gave only the SW, but the HW components are cheap enough that giving them free is also not going to help.
The 'hotspot business model' is just running around like a headless chicken...
While changing MAC address in a Linux system is easy, for Windows 2000 and XP based systems also you can use a tool like SMAC.
http://www.klcconsulting.net/smac/
Couple this with ethereal (where you first sniff
out a valid MAC address) and getting network
access on a MAC based authentication scheme is trivial.
Also, 802.1x will provide you encryption and dynamic keys, something a simple firewall based
solution wont be able to do.
Puneet
not using even WEP is simply asking for trouble, using basic WEP (pre-shared keys) is a little better, but its still vulnerable and has the hassles of key management (each time you change the keys you need to update all clients). 802.1x is the way to go.
There is some support on OSes for 802.1x (Windows XP has it built it for some authentication methods, for Windows 2000 you can download it from the Microsoft website, for Linux and BSD use xsupplicant (http://www.open1x.org).
One important consideration is what 'EAP method' you use for security. 802.1x is a framework for security and you can tie-in different methods within this framework for doing the actual authentication and key generation.
If you use EAP-TLS then there is can be a problem of configuring certificates on client machines, though its pretty secure once setup. You can use the cisco proprietary LEAP with Cisco AP's and clients or go for a solution based on PEAP or EAP-TTLS.
LEAP only requires you to have a user-name/password type of setup and can be easily tied to existing authentication infrastructure (Eg: the windows network in your LAB). PEAP and EAP-TTLS need only a username and password if you use MS-CHAPV2 or some such method, though you still need valid server-side certificates.
Puneet
CHAP is prone to offline dictionary attacks, and hence not really recommended for Wireless-type environments (which are much easier to sniff). /etc/passwd types of passwords (crypt, MD5, SHA1, other one-way hashes) with CHAP. MS-CHAP-V2 sort of addresses some of these issues.
Also CHAP *requires* the Radius server to have access to all user passwords in cleartext. If that server is ever compromised, *ALL* your passwords are compromised. You cant use
-Puneet
actually Radius does not send the password in the clear (even when doing PAP and not CHAP). The password is sort of encrypted (simple XOR) using the shared secret and some random bytes (authenticator). Like CHAP, you can still perhaps carry out an offline dictionary attack, but its not as simple as reading the password in clear from an ethereal capture.
-Puneet