[TriLUG] trying to understand secure wpa options
Joseph Mack NA3T
jmack at wm7d.net
Sat Jul 28 22:12:17 EDT 2007
(I'm assuming I'm using wpa_supplicant for encryption and
RADIUS for authentication/authorisation. I will be setting
up the WAPs. I have wpa_supplicant running, but have never
setup RADIUS so I may be off-base with the RADIUS part.)
I need to setup up wifi access where the wifi link is
un-snoopable (ie not wep) and it would be nice if I only
have to authenticate/authorize once in a session (ie I
should be able to move to a different WAP without being
asked to re-authenticate). If my laptop is stolen I don't
want anyone to be able to use it to snoop on the network or
connect, so no passwds in the .conf file.
It probably would be OK if the person with a stolen laptop
automatically got an encrypted link, but couldn't do
anything with it till they authorised with a passwd, but I'd
be happier if they didn't even get an encrypted link.
I'm looking at the wpa_supplicant.conf example file and
there seem to be passwds buried in the conf file for all the
available methods of encrypting the link. This would allow
anyone who stole my laptop to connect. Is this correct? Is
it possible to do what I want to do?
I've seen people at conferences using RSA automatic PIN
generators to get back to their home office. This method
would add extra expense and since some of the people glue
their RSA key machine to their laptops, if the laptop is
stolen, the then RSA key machine is gone too. An RSA key
just seems to be a bit of hardware not under my control and
which could stop working without me being able to do
anything about it.
It seems it should be possible to set up IPSec between the
clients and authentication server (with certificates) using
an unencrypted wifi layer, with IPSec encrypting the
packets. However then anyone else could use the open wifi
link layer for connecting. Is there some way to stop these
outside people from getting a dhcp say. Presumably the
stolen laptop problem would be handled by the thief not
knowing the passphrase for the private key.
Thanks Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
More information about the TriLUG
mailing list