hi
> > I want to know if Mac filtering will be too much of a headache vs. > > having the AP proxy the authentication/association to a radius server? > > MAC authentication can be spoofed. EAP can't be. i completely agree. > > If I use Radius, can I make it so only the employee needs to > > authenticate? > > No, but I'm not sure you want to allow un-authenticated users onto > your network. it depends on your APs, but you can. usually, if your AP supports multiple SSIDs, you can define security setting on the SSID basis. this would include 802.1X, RADIUS, etc. i.e. you can have an "open" SSID _and_ a closed SSID requesting authentication. now of course, it doesn't make any sense, if both lead to the same network. hence, the SSIDs have to be mapped to VLANs, which is a current practice. > > If I use 802.1x, I am thinking the Radius server back at the corporate > > location will be on their DMZ. Is the shared Secret in clear text > > between the AP/Router to the Radius server? > > The shared secret is never sent in any packet. alan is of course right, but if you have a more general doubt about the RADIUS internal security (like user privacy, etc.), you will have to add a local RADIUS server and to proxy the requests to your corporate RADIUS server. then, the both RADIUS servers could use e.g. IPSec and thus your RADIUS traffic leaving your local networks would be well protected. (the direct way, an AP which does IPSec, doesn't exist on the market on the moment) > > Is PEAP, the most logical choice here? Why wouldn't I use it? > > If PEAP works, you can use it. If you're running Linux clients, I'd > recommend EAP-TTLS. :-) i don't even know why ms has started developping PEAP when the TTLS draft was already available since a year... ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
