[TriLUG] trying to understand secure wpa options
Robert Dale
robdale at gmail.com
Sun Jul 29 13:39:31 EDT 2007
On 7/28/07, Joseph Mack NA3T <jmack at wm7d.net> wrote:
> (I'm assuming I'm using wpa_supplicant for encryption and
> RADIUS for authentication/authorisation. I will be setting
> up the WAPs. I have wpa_supplicant running, but have never
> setup RADIUS so I may be off-base with the RADIUS part.)
>
> I need to setup up wifi access where the wifi link is
> un-snoopable (ie not wep) and it would be nice if I only
> have to authenticate/authorize once in a session (ie I
> should be able to move to a different WAP without being
> asked to re-authenticate). If my laptop is stolen I don't
> want anyone to be able to use it to snoop on the network or
> connect, so no passwds in the .conf file.
>
> It probably would be OK if the person with a stolen laptop
> automatically got an encrypted link, but couldn't do
> anything with it till they authorised with a passwd, but I'd
> be happier if they didn't even get an encrypted link.
>
> I'm looking at the wpa_supplicant.conf example file and
> there seem to be passwds buried in the conf file for all the
> available methods of encrypting the link. This would allow
> anyone who stole my laptop to connect. Is this correct? Is
> it possible to do what I want to do?
>
> I've seen people at conferences using RSA automatic PIN
> generators to get back to their home office. This method
> would add extra expense and since some of the people glue
> their RSA key machine to their laptops, if the laptop is
> stolen, the then RSA key machine is gone too. An RSA key
> just seems to be a bit of hardware not under my control and
> which could stop working without me being able to do
> anything about it.
>
> It seems it should be possible to set up IPSec between the
> clients and authentication server (with certificates) using
> an unencrypted wifi layer, with IPSec encrypting the
> packets. However then anyone else could use the open wifi
> link layer for connecting. Is there some way to stop these
> outside people from getting a dhcp say. Presumably the
> stolen laptop problem would be handled by the thief not
> knowing the passphrase for the private key.
The last time I did wireless was pre-wpa, so I can't really help you
there. Typically, how it used to be done was that the wireless
network itself was some private IP space (192.168..). One could
connect to the wireless network but not get out. If you used a web
browser, you would have been redirected to some sort of registration
page. After registering, you then had internet access. Behind the
scenes, this just meant turning on NAT for your IP. If you wanted
real encryption (not WEP ;) you used a VPN - user/pass required. If
this is a controlled environment, then you could use just the VPN.
For DHCP, you could have you dhcp server give out IPs based on
registered cards. But this would only work in a controlled
environment. There would be noway to do this with a registration
page, because, well, you would need an IP to get to that page.
There are all sorts of these packages out there and some may even be
WPA-enabled. Just search freshmeat or wherever for 'wifi' or
'hotspot'.
HTH
--
Robert Dale
More information about the TriLUG
mailing list