By Glenn Fleishman Special to Wi-Fi Networking News Permanently archived item <http://wifinetnews.com/archives/003901.html>
[1] Radiuz offers WPA-Enterprise logins to free networks at no charge: Radiuz is a grand experiment in providing enterprise-scale security and encryption to free networks. Any network that wants to use Radiuz's authentication has to have an access point that handles pass-through 802.1X authentication, which most consumer units do. The access point is configured to talk to Radiuz's server, and that's it. Radiuz is using WPA-Enterprise, as the Wi-Fi Alliance terms it, which is 802.1X port-based authentication coupled with WPA encryption keys. Radiuz further layers PEAP (Protected EAP) on top to provide a secure exchange of credentials with their server. Radiuz tries to solve four interconnected problems with home and small-business networking. First, security isn't tight enough: most home users leave encryption off because it's annoying to manage. Second, even users who want to share their network connection are slightly leery of letting anonymous folks onboard. The development of [2] NoCatAuth and [3] LessNetworks's adaptation of that software are both attempts to provide accountability--in the former case, through a click-through terms of service; and adding user accounts in the latter case, although the accounts are free. Third, WPA-Personal uses a static key for all users, making it possible for one user with a WPA key to sniff the traffic of any other user. Distributing a WPA-Personal key to "protect" a network doesn't help protect it in that way. (A WPA key that's kept private among a home or workgroup does, however.) Fourth, WPA-Enterprise is beyond affordable for most smaller businesses, although products like Interlink Network's [4] LucidLink and Wireless Security Corporation's [5] Wireless Security Guard are steps in that direction. John Leibovitz is one of the founders of Radiuz, and we spoke recently about the organization's goals. Leibovitz describes Radiuz as a "cross between Wi-Fi and Friendster in a very kind of loose way." He and his co-founder Stephen Robinson want to build a community of registered users first and then see how to connect them. "The goal is really to build up that network, and to think creatively beyond that about how to make that economically sustaining," he said. Authentication will always remain free, however. People who want to join the Radiuz network sign up and receive information on how to configure their access point to use Radiuz's servers. Users who want access to Radiuz authenticated networks need to sign up out of band: you can't connect to the free network you need credentials. When you sign up, you have to confirm via an email message to ensure that you have at least some valid footprint on the Internet that's trackable for a moment. Leibovitz said that the time was right to launch Radiuz because native supplicants that support PEAP are available for all major platforms, including Linux ([6] Open1x), Mac OS X (version 10.3 in Internet Connect), and Windows XP. (A [7] Windows 2000 WPA client is free from Wireless Security Corporation.) "Any time you have installable clients, you impose costs and configuration issues on a user," he noted. The operators of access points will have the ability to add and remove users who can access their particular network via Web site. The general idea is that all Radiuz users would be able to access all Radiuz networks, but Leibovitz said they're providing user restriction as an option. We discussed some of the current limitations to Radiuz's system that might cause users with less technical expertise to have some pause before switching their access point over. Because Radiuz requires a live Internet connection for users to authenticate, a loss of service at the access point's source--a DSL line going down--or anywhere between the user and Radiuz would disable all Wi-Fi access to the network. A user would have to connect via a wired port and turn off RADIUS authentication to regain access. Wireless Security Corporation avoids this problem by having their own client which manages the distribution of a back-end WPA key, and supplying a server that can run locally to handle failover to provide continuous protected access during an Internet disruption. A secondary problem is that even with each local Wi-Fi user having a unique key and thus protected from other users, the Ethernet segment of the network, even just linking the access point to a broadband modem, allows network sniffing. A feature available in newer Linksys firmware allows you to turn off the LAN segment for Wi-Fi users: they can only "see" and "hear" the Internet feed on the WAN. Radiuz represents part of an interesting trend towards increased options for WPA authentication. It's worth watching how this develops for both free and fee networks, and for home and business networks. An ISP could easily offer this service for their home users, just like Radiuz can for all free networks. URLs referenced: [1] <http://radiuz.net/logon.jsp> [2] <http://nocat.net/> [3] <http://www.lessnetworks.com/> [4] <http://www.lucidlink.com/> [5] <http://www.wirelesssecuritycorp.com/> [6] <http://www.open1x.org/> [7] <http://www.wirelesssecuritycorp.com/wsc/public/WPAAssistant.do> -- pgp key: http://www.jonbaer.net/jonbaer.asc fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47 -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
