Greetings all,
In a nutshell, can a Cisco Aironet 350 Access Point accept a per-user WEP key from
Freeradius (and can Freeradius serve it one)?
We're beginning the process of installing a wireless LAN on our college
campus. We'd like to have something more secure than wide open, but not something that
will require the use of VPN's or IPSec or LEAP. Weighing all of our options, the best
solution we arrived at would be a combination MAC address authentication and unique
WEP keys for each client.
We're going to be using Cisco Aironet 350 access points. I've already found
out how to setup MAC address authentication with Freeradius. However, I'm not very
clear on the possibility/ability to serve out unique predetermined WEP keys for each
user. If anybody could shed some light on the feasibility of the following scenario,
I'd appreciate it:
Client A boots up her Windows 98 computer with a wireless NIC. The access
point grabs the MAC address, authenticates her against the radius server and
allows/denies data transmission.
Can we go one step further and when the access point sees Client A's MAC
address, the radius server tells the Cisco access point to use a particular WEP key
with that user.
Condition: That user knows that WEP key in advance and has already entered it into her
workstation's configuration...
So from an administrative standpoint, it will be somewhat tedious as each user will
have a unique wep key we provide in advance. But from a security standpoint, at least
for the passive sniffer, it makes it very difficult because each client's traffic is
encrypted with a unique WEP.
Also, even though MAC addresses can be spoofed, you must know a working, authorized
MAC address and have a matching WEP key to even begin to transfer data.
Anyone heard/doing anything similiar? I'm not even sure if it's possible. We wanted to
stay away from proprietary solutions like LEAP because it doesn't work with
everybody... and being a school a bit of openness is okay.
Thanks,
John Tracy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
