There are 2 general types of wireless authentication: port level or physical layer, and network level.
the port-level authentication is the best -- the end-user does not get a PHYSICAL ethernet link until they have authenticated. unfortunately, it is a complete PITA to implement: you have to distribute client certificates to all the machines which want to authenticate. so there is a problem of key management. so let's forget about that.
the other method is network level. this is what happens: all your access points are WIDE OPEN, meaning public. anyone can connect to your AP.
now, your AP has a private IP, say 192.168.1.0/24. you also must have a linux box with 2 ethernets. so it looks like this:
(bunch of wifi clients) <-------> public AP <------> (eth1 LINUX BOX eth0) <------> internet
now, what you do is, you hang a DHCPD off the eth1 of your linux box. so anyone who connects to your public AP gets assigned an IP address from your private IP block.
so, now, these clients can ping each other, and they can ping the eth1. but your Linux box should not have IP forwarding between eth1 and eth0 -- so the clients cannot browse the internet.
secondly, you will run PPTPD (point to point tunneling protocol daemon) -- i used PopTop before -- on the linux box. the PPTPD is configured to spawn a PPPD (your regular garden-variety PPPD).
on the wifi clients, in order for them to get an internet connection, they have to set up a dialup networking configuration. but instead of MODEM, select the "PPTP VPN miniport" type. note you need Win2k SP2 or WinXP at minimum in order to have this.
then in the VPN setup, specify as VPN acess point, the eth1 IP of the linux box. So you see, the linux box is acting as a VPN server. the actual VPN server software is the PPTPD.
when the client double-clients his/her DUN icon, the thing pops up and prompts for a username/password. the client must then put in an appropriate username/password. the Windows DUN client will then contact PPTPD for authentication. PPTPD will spawn PPPD, and PPPD will take care of validating the authentication credentials.
assuming that the credentials are OK, PPPD will then set up a PPP connection, assign an IP address to it (which gets assigned to the windoze box) and the windoze box can now browse the net using the PPP assigned IP, and NOT the DHCP-assigned private IP.
clear as mud?
so actually PPPD takes care of authentication. two ways: using /etc/ppp/chap-secrets, or using radius.
CHAP is preferred, because the password is not transmitted in the clear (remember that the wifi segment is public, so anyone with a sniffer can sniff the traffic). of course once the PPTP connection is set up, it's already encrypted because it's a VPN. so the only vulnerable part is the PPP (PAP) handshake.
problem with CHAP is that common radii don't support it -- you have to hard-code the username/password in /etc/ppp/chap-secrets.
if you wanna do radius, you have to use PAP. configure your PPPD to use PAP, and configure it to talk to an appropriate radius server. so you have the problem of passwords in the clear. nice thing though: the garden variety Linux PPPD obeys the "Session-Timeout" radius parameter, so if the prepaid card runs out, the PPTP VPN connection cuts off and the end-user loses internet connectivity.
now i remember there is a better way to do the above using chilispot or something which sidesteps the PAP requirement. but i never got around to that... :)
the PAP method is tested and working though.
On 4/12/06, Mhac Janapin <[EMAIL PROTECTED]> wrote:
Hi Orly,
For the sake of others in this list, could you somehow elucidate on that idea some more? I mean, I am somewhat confused by the terms "set up a dialup networking" when applied to wireless clients. :)
I was hoping to do the same as "Seattle's Best" has done it. Buy a prepaid card. Then put in username and password. And there you go. :) Something like that. Thanks.
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
