[TriLUG] trying to understand secure wpa options

Joseph Mack NA3T jmack at wm7d.net
Sun Jul 29 17:59:23 EDT 2007 

On Sun, 29 Jul 2007, Brian McCullough wrote:

> On Sat, Jul 28, 2007 at 07:12:17PM -0700, Joseph Mack NA3T wrote:
>> (I'm assuming I'm using wpa_supplicant for encryption and
>> RADIUS for authentication/authorisation. I will be setting
>> up the WAPs. I have wpa_supplicant running, but have never
>> setup RADIUS so I may be off-base with the RADIUS part.)
>
> This is where my memory and understanding seem to differ from yours,
> Joe.  My understanding was that ( at the very least )  WPA performs some
> sort of secure Authentication ( and possibly authorization ) process,
> followed by another component ( PSK? ) that encrypts the channel.
> Something like the way that ISAKMP and IPSec work.

PSK = personal shared key.

You need to have a passwd in your conf file. I'm tried to 
avoid having clear text passwds in a laptop which could be 
stolen. Looking at the examples for the other encryption 
methods (EAP) you need passwds in the wpa_supplicant file 
too (it seems).

> The way that I have used, and have seen used, RADIUS is to perform a
> "single sign on" function, using an LDAP database ( directory )

This is what I want. I'm compiling up RADIUS now.

>  You wouldn't want to make the
> "forced logout" timeout too long, in case someone left the network with
> an open connection.

haven't figured yet out what happens if someone just shuts 
down their laptop without disconnecting.

> I see some sort of two-factor challenge response authentication system
> here, where the machine is only one part of the equation.

OK. Hoping to avoid a two step login, but if I have to I 
have to.

>> I've seen people at conferences using RSA automatic PIN
>> generators to get back to their home office. This method
>> would add extra expense and since some of the people glue
>> their RSA key machine to their laptops, if the laptop is
>> stolen, the then RSA key machine is gone too. An RSA key
>
>
> !!!  I see that these people have been given their key fob but haven't
> quite grasped the whole idea of security.

I was a little surprised myself. I'm sure the people at work 
checked him out before they let him out the door. At least 
it's more secure than a post-it, which as we all know, can 
peel off :-)

Still having to carry gizmos to allow you to use your laptop 
is just one more piece of pain for the user.

> Just remember that "IPSec" is actually several components, each doing
> their part of the job.  Establishment of the connection can be arranged
> automatically, where you are confident of the "physical" security, or it
> can be configured to be a manual process, where the user must know the
> "password."

IPSec seems simpler conceptually than all the messing around 
with wpa. However I don't want anyone who steals a laptop to 
get on, which means that one passwd will be needed for the 
IPSec linklayer, then another to authenticate with RADIUS.

Thanks
Joe
-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

More information about the TriLUG mailing list