----- Original Message -----
From: Orlando Andico
To: Philippine Linux Users' Group (PLUG) Technical Discussion List
Sent: Tuesday, April 11, 2006 11:50 PM
Subject: Re: [plug] Hotspot Howto
this is exactly the same scheme i outlined previously, albeit in more
detail.
your WLAN is public, e.g. anyone can connect. so they can see the others
on the LAN.
but mine default has no ip address both from the clients and the server's
nic facing them... therefore, it will add another level of security...
but in order to get a "real" internet connection, they have to
set up a dialup networking (PPTP VPN miniport) connection, and
authenticate normally.
no pptp from my design...
this is not rocket science, everyone from globe to airborne access to
mozcom
have done this.
in computing there is no such thing as rocket science... it is all about
creativity of the given architecture...
comments further below...
----- Original Message -----
From: Orlando Andico
To: Philippine Linux Users' Group (PLUG) Technical Discussion List
Sent: Wednesday, April 12, 2006 10:07 AM
Subject: Re: [plug] Hotspot Howto
OK. This is what happens.
There are 2 general types of wireless authentication: port level or
physical layer, and network level.
and application level (web authentication)...
the port-level authentication is the best -- the end-user does not get
a PHYSICAL ethernet link until they have authenticated. unfortunately,
it is a complete PITA to implement: you have to distribute client
certificates to all the machines which want to authenticate. so there
is a problem of key management. so let's forget about that.
not only that... the incompatibilities of other wifi vendors...
the other method is network level. this is what happens: all your access
points are WIDE OPEN, meaning public. anyone can connect to your AP.
now, your AP has a private IP, say 192.168.1.0/24. you also must have
a linux box with 2 ethernets. so it looks like this:
(bunch of wifi clients) <-------> public AP <------>
(eth1 LINUX BOX eth0) <------> internet
now, what you do is, you hang a DHCPD off the eth1 of your linux box.
so anyone who connects to your public AP gets assigned an IP address
from your private IP block.
there are lots of security implications but i dont want to discuss it
further...
on the wifi clients, in order for them to get an internet connection, they
have
to set up a dialup networking configuration. but instead of MODEM, select
the "PPTP VPN miniport" type. note you need Win2k SP2 or WinXP at
minimum in order to have this.
win98 includes pptp also...
CHAP is preferred, because the password is not transmitted in the clear
(remember that the wifi segment is public, so anyone with a sniffer can
sniff the traffic).
of course once the PPTP connection is set up, it's already encrypted
because it's
a VPN. so the only vulnerable part is the PPP (PAP) handshake.
problem with CHAP is that common radii don't support it -- you have to
hard-code the username/password in /etc/ppp/chap-secrets.
it depends on your ppp daemon... dont use chap even it is encrypted by
default because it can easily decrypted it... youve got another security
implication here...
if you wanna do radius, you have to use PAP. configure your PPPD to
use PAP, and configure it to talk to an appropriate radius server. so you
have the problem of passwords in the clear.
again it depends on your ppp daemon and your radius software... i can do
mschap version 2 from client to server and server to radius server...
nice thing though: the garden
variety Linux PPPD obeys the "Session-Timeout" radius parameter, so if the
prepaid card runs out, the PPTP VPN connection cuts off and the end-user
loses internet connectivity.
again it depends on your ppp daemon... not only session-timeout... you can
use other radius attributes for other creativity....
the PAP method is tested and working though.
dont use PAP or CHAP over wireless... its a big security risks....
fooler.
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
