[TriLUG] trying to understand secure wpa options
jim at neuse.net
Sun Jul 29 08:18:37 EDT 2007
If you were interested in making it the subject for one of our labs, I'm
sure it would be well received.
Jim Ray, President
Neuse River Networks
tel: 919-838-1672 cell: 919-606-1772
Connecting You to the World since 1997
Specializing in the design, sales, installation, and support of today's
technology for small to mid-sized markets, we also focus on both commercial
and industrial networks for PCs and phones. Now in our tenth year, the
company began with deploying video, voice and data communications systems in
the Triangle region, which we continue to do today.
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On
Behalf Of Joseph
> Mack NA3T
> Sent: Saturday, July 28, 2007 10:12 PM
> To: trilug at trilug.org
> Subject: [TriLUG] trying to understand secure wpa options
> (I'm assuming I'm using wpa_supplicant for encryption and
> RADIUS for authentication/authorisation. I will be setting
> up the WAPs. I have wpa_supplicant running, but have never
> setup RADIUS so I may be off-base with the RADIUS part.)
> I need to setup up wifi access where the wifi link is
> un-snoopable (ie not wep) and it would be nice if I only
> have to authenticate/authorize once in a session (ie I
> should be able to move to a different WAP without being
> asked to re-authenticate). If my laptop is stolen I don't
> want anyone to be able to use it to snoop on the network or
> connect, so no passwds in the .conf file.
> It probably would be OK if the person with a stolen laptop
> automatically got an encrypted link, but couldn't do
> anything with it till they authorised with a passwd, but I'd
> be happier if they didn't even get an encrypted link.
> I'm looking at the wpa_supplicant.conf example file and
> there seem to be passwds buried in the conf file for all the
> available methods of encrypting the link. This would allow
> anyone who stole my laptop to connect. Is this correct? Is
> it possible to do what I want to do?
> I've seen people at conferences using RSA automatic PIN
> generators to get back to their home office. This method
> would add extra expense and since some of the people glue
> their RSA key machine to their laptops, if the laptop is
> stolen, the then RSA key machine is gone too. An RSA key
> just seems to be a bit of hardware not under my control and
> which could stop working without me being able to do
> anything about it.
> It seems it should be possible to set up IPSec between the
> clients and authentication server (with certificates) using
> an unencrypted wifi layer, with IPSec encrypting the
> packets. However then anyone else could use the open wifi
> link layer for connecting. Is there some way to stop these
> outside people from getting a dhcp say. Presumably the
> stolen laptop problem would be handled by the thief not
> knowing the passphrase for the private key.
> Thanks Joe
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
More information about the TriLUG