your WLAN is public, e.g. anyone can connect. so they can see the others on the LAN. but in order to get a "real" internet connection, they have to set up a dialup networking (PPTP VPN miniport) connection, and authenticate normally.
this is not rocket science, everyone from globe to airborne access to mozcom have done this.
On 4/11/06, fooler <
[EMAIL PROTECTED]> wrote:
i would like to give you an idea how i implemented a secure authentication with wiress lan and wired lan but i cannot give you the full details due to some restriction where i work...i have a server with two nics.. one nic is facing the internet with a public ip and the other nic is facing the private lan either wired and wireless lan with *no* ip address assigned to it... therefore all workstations trying to put a gateway ip address on their network configuration cant still go out of the network because there is no ip address facing them...all access points are connected to a switch where the ip less nic is also connected... the configuration of all access points are simply broadcast the service set identifier or SSID without encryption.. purpose for that is to have a link connectivity between the wireless clients and ip less nic...in order for all workstations either wired or wireless to authenticate and access the outside world... they must use a ppp dialer and enable mschap version 2 for secure and encrypted authentication... of course they must use a good lengthy password to prevent from dictionary based attack... i prefer to use higher layer encryption (eg. mschapv2) than layer 2 encryption used by the wireless vendors to prevent from incompatibilities from other vendor's layer 2 encryption scheme....the server is the one communicating with the remote radius server for its authentication, authorization and accounting (AAA)... if there is radius therefore you can do a prepaid service... the radius server is separad from this server to provide another security level.. this server acts only as remote access point (RAS)...with this kind of setup... this prepaid card is extended to not only from a regular dial-up prepaid card but also you can use this from wired lan (mostly school's laboratory) and wireless hotspots... therefore its a unified prepaid card...i prefer to use this kind of setup rather than the wireless web based authentication because i can easily sabotage any wirelss web based authentication thru denial of service and man in the middle attack thru layer 2 attack technique...fooler.----- Original Message -----From: Orlando AndicoSent: Tuesday, April 11, 2006 4:55 PMSubject: Re: [plug] Hotspot Howtoyou don't need openwrt. even a crapola stock linksys can authenticate over radius using pptp. yun nga lang, anyone can get on the network for free -- they just can't go outside the network (e.g. surf the net) without authenticatiing.
the radius/ppp based wifi authentication schemes don't work at the physical/port layer. you need LEAP/PEAP for that, and LEAP/PEAP is a tremendous pain in the butt.
On 4/11/06, Mhac Janapin <[EMAIL PROTECTED]> wrote:I am trying to setup a hotspot here in our school.
I got me an Edimax-G for the AP/router.
From my googling around, I learned that I need these packages to setup a WiFi hotspot:
a)freeradius
b)chillispot
c)phpMyPrepaid
d)OpenWrt (in my router)
It seems that I cannot install OpenWrt into my router. However, Edimax has the linux source (GPL'd) of their versions.
And so:
1)has anybody here implemented a different scheme for a hotspot? (freeradius+mysql)
2)has anybody here tinkered with that source code?
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
