[TriLUG] trying to understand secure wpa options

Brian McCullough bdmc at bdmcc-us.com
Sun Jul 29 17:42:16 EDT 2007


On Sat, Jul 28, 2007 at 07:12:17PM -0700, Joseph Mack NA3T wrote:
> (I'm assuming I'm using wpa_supplicant for encryption and 
> RADIUS for authentication/authorisation. I will be setting 
> up the WAPs. I have wpa_supplicant running, but have never 
> setup RADIUS so I may be off-base with the RADIUS part.)

This is where my memory and understanding seem to differ from yours,
Joe.  My understanding was that ( at the very least )  WPA performs some
sort of secure Authentication ( and possibly authorization ) process,
followed by another component ( PSK? ) that encrypts the channel.
Something like the way that ISAKMP and IPSec work.

The way that I have used, and have seen used, RADIUS is to perform a
"single sign on" function, using an LDAP database ( directory ) to
authenticate users "dialling up" and requesting access to the "corporate
network."  RADIUS ( as I understand it ) can use anything for its
password file, up to and including a flat text file, with plain-text
passwords. ( or is that DOWN to? )  In that sense, RADIUS could probably
serve your other, "single sign on" goal, but I'm not sure how the other
components would play with that.  Possibly if you eliminated the various
wireless components from the equation ( not really, but conceptually )
and log into a "terminal server" with everything encrypted end-to-end
between the remote terminal and the terminal server.  In that case, you
could probably hop from WAP to WAP, as long as the terminal server
recognized you as an existing connection.  It would do so with some sort
of temporary shared key, I imagine. You wouldn't want to make the
"forced logout" timeout too long, in case someone left the network with
an open connection.

The world around 802.1X seems to be re-designing these functions, too.


> asked to re-authenticate). If my laptop is stolen I don't 
> want anyone to be able to use it to snoop on the network or 
> connect, so no passwds in the .conf file.

I see some sort of two-factor challenge response authentication system
here, where the machine is only one part of the equation.



> I've seen people at conferences using RSA automatic PIN 
> generators to get back to their home office. This method 
> would add extra expense and since some of the people glue 
> their RSA key machine to their laptops, if the laptop is 
> stolen, the then RSA key machine is gone too. An RSA key 


!!!  I see that these people have been given their key fob but haven't
quite grasped the whole idea of security.


> It seems it should be possible to set up IPSec between the 
> clients and authentication server (with certificates) using 
> an unencrypted wifi layer, with IPSec encrypting the 
> packets. However then anyone else could use the open wifi 
> link layer for connecting. Is there some way to stop these 
> outside people from getting a dhcp say. Presumably the 
> stolen laptop problem would be handled by the thief not 
> knowing the passphrase for the private key.

Just remember that "IPSec" is actually several components, each doing
their part of the job.  Establishment of the connection can be arranged
automatically, where you are confident of the "physical" security, or it
can be configured to be a manual process, where the user must know the
"password." 



> Thanks Joe


Brian





More information about the TriLUG mailing list