[TriLUG] trying to understand secure wpa options

[Brian McCullough]

On Sun, Jul 29, 2007 at 02:59:23PM -0700, Joseph Mack NA3T wrote:
> On Sun, 29 Jul 2007, Brian McCullough wrote:
> 
> >  You wouldn't want to make the
> > "forced logout" timeout too long, in case someone left the network with
> > an open connection.
> 
> haven't figured yet out what happens if someone just shuts 
> down their laptop without disconnecting.

That's why you would have, either in PAM or, more likely, in the
terminal server layer, a timeout that would force that connection
closed.


> > I see some sort of two-factor challenge response authentication system
> > here, where the machine is only one part of the equation.
> 
> OK. Hoping to avoid a two step login, but if I have to I 
> have to.

No, by two factor, I mean that your machine is one factor and the
response that you give to the password is the other.  Something like
what some of the "banking-type" sites are doing now with the "site key"
where they have you choose ( or possibly upload ) a picture and give a
"magic phrase" to be displayed to the user before prompting for the
password.


> > Just remember that "IPSec" is actually several components, each doing
> > their part of the job.  Establishment of the connection can be arranged
> > automatically, where you are confident of the "physical" security, or it
> > can be configured to be a manual process, where the user must know the
> > "password."
> 
> IPSec seems simpler conceptually than all the messing around 
> with wpa. However I don't want anyone who steals a laptop to 
> get on, which means that one passwd will be needed for the 
> IPSec linklayer, then another to authenticate with RADIUS.

I'm pretty sure that RADIUS would not be necessary in an IPSec system.
Use the authentication and authorization functions of IPSec to set up
the user's access profile for the system.  Unplug RADIUS -- Insert
IPSec.



B-)