Re: [Dorset] Monitoring Internet Connectivity.
On Sat, 09 Mar 2019 17:58:26 +, t...@ls83.eclipse.co.uk wrote: > Yes, not only that but I'm hoping that CC#2, by trying to beat the > system, will learn a bit about networking rather than just using > it. :-) > As someone who hasn't come across RADIUS before, could you explain > how it could help in this situation (i.e. preventing someone from > connecting to the network with an arbitrary IP address)? My experience of RADIUS is limited to being a sometime user of [eduroam][1], which uses it. I don't really know much about how it works, but I'll take the opportunity to improve my understanding by trying to explain it. My understanding is that RADIUS is a protocol for services that provide authentication for one or more different network access mechanisms. So, on its own, RADIUS is not really a solution at all, just part of a solution. In the context of a WiFi network, I imagine RADIUS will most likely be integrated with WPA2, using [EAP][2]. Alternatively, RADIUS could be linked to a web-page-based captive portal. A third option might be to provide WiFi access only to a VPN server or some other portal/proxy/gateway server, which uses RADIUS to authenticate users and then provides access to the network proper. Of these, I don't think the captive portal option will help. By not using WiFi encryption, it leaves the door open for a client to imitate another client to take advantage of its greater privilege. Using the WPA2 option, I believe the authentication occurs before the client device is connected to the network by the access point. I suppose the access point is therefore the arbiter of what kinds of connections are possible, under the instruction of the RADIUS server. (I suppose the access point fulfils the "Network Access Server" role.) So the RADIUS server might, in effect, tell the access point which VLAN to tag an authenticated client's traffic with, for example, or it might tell it which IP addresses the client can use. These are certainly just guesses on my part: the sorts of outcomes that would make sense to me. If the client can be reliably forced into a particular VLAN or a particular IP address by the access point on the basis of the client's authenticated identity, then it is going to be easy for a router/ firewall to control what the client can access and when. The access point can also send the RADIUS server updates about whether the client is still connected, to enable the accounting feature. The RADIUS server could itself have any kind of back-end, potentially integrating with a wider system of user accounts. I'm surprised, but probably shouldn't be, to learn that the [hostapd][3] daemon is not only capable of using a RADIUS server, but also capable of being a RADIUS server itself. > > One 'cheaper' option for authentication would be to just have more > > than one WiFi SSID. > > Yes, that's a possibility, as the Draytek has multiple SSIDs with > scheduling. But fairly quickly the unscheduled SSID passwords will > be compromised. If the compromise is by means of extracting credentials from other devices, then I suppose the same risk could apply to a solution using RADIUS. Patrick [1]: https://www.eduroam.org/ [2]: https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol [3]: https://w1.fi/hostapd/ -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Linux bridging software for MTDfV
Hi Ralph On 09/03/2019 17:27, Ralph Corderoy wrote: Hi Tim, Come April all VAT returns to HMRC will need to be through a new digital portal. This is Making Tax Digital for VAT. Did you get anywhere with this? I did some digging at the time and still have a bunch of browser tabs open from then, but didn't have time to write it up. I revise their content and do that if it's not now a solved problem. No, I drew a complete blank, but I see HMRC have now updated their website so that you can now filter on bridging software, which lists 58 providers. So it's a matter of trawling through these to find something suitable, skipping the likes of Deloitte, KPMG and Mazars. So for instance https://1clickaccounts.com/ (second in list) is a web based solution that accepts CSV files, £9.95 per year. If there are no hidden catches then that is a possibility. I'm going to see how the dust settles as we have a few months before doing our first MTD VAT return. Cheers Tim -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Monitoring Internet Connectivity.
Hi Patrick On 08/03/2019 21:56, Patrick Wigmore wrote: I have got the impression from these messages that Tim might be quite enjoying the cat and mouse game, and so going straight for the 'nuclear option' of RADIUS might spoil the fun! Having said that, perhaps I am underestimating the adversary. Yes, not only that but I'm hoping that CC#2, by trying to beat the system, will learn a bit about networking rather than just using it. As someone who hasn't come across RADIUS before, could you explain how it could help in this situation (i.e. preventing someone from connecting to the network with an arbitrary IP address)? One 'cheaper' option for authentication would be to just have more than one WiFi SSID. Yes, that's a possibility, as the Draytek has multiple SSIDs with scheduling. But fairly quickly the unscheduled SSID passwords will be compromised. Cheers Tim -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Monitoring Internet Connectivity.
On Sat, 9 Mar 2019 16:57:37 + PeterMerchant via dorset wrote: > On 09/03/2019 10:58, Ralph Corderoy wrote: > > Hi Patrick, > > > >> I have got the impression from these messages that Tim might be quite > >> enjoying the cat and mouse game > > A motivator attacker seems prefereable to a consuming CC#2. :-) > > > >> and so going straight for the 'nuclear option' of RADIUS might spoil > >> the fun! > > True. It occurred to me that Draytek may already provide a RADIUS > > server, and Google says they do, > > https://www.draytek.co.uk/support/guides/kb-internal-radius, but it's > > behind a registration-wall so I read no further. > > > I had in mind suggesting using IpCop on a spare computer between the router > and the network, but > see that it has not been updated since 2015, and the last item in the press > for it was 2010. > > Peter > > > -- > Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 > Check to whom you are replying > Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ > New thread, don't hijack: mailto:dorset@mailman.lug.org.uk Think you will find it now called IPFire, think they have a free and paid for version including hardware devices as well. Tim H -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Linux bridging software for MTDfV
Hi Tim, > Come April all VAT returns to HMRC will need to be through a new > digital portal. This is Making Tax Digital for VAT. Did you get anywhere with this? I did some digging at the time and still have a bunch of browser tabs open from then, but didn't have time to write it up. I revise their content and do that if it's not now a solved problem. -- Cheers, Ralph. -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Monitoring Internet Connectivity.
On 09/03/2019 10:58, Ralph Corderoy wrote: Hi Patrick, I have got the impression from these messages that Tim might be quite enjoying the cat and mouse game A motivator attacker seems prefereable to a consuming CC#2. :-) and so going straight for the 'nuclear option' of RADIUS might spoil the fun! True. It occurred to me that Draytek may already provide a RADIUS server, and Google says they do, https://www.draytek.co.uk/support/guides/kb-internal-radius, but it's behind a registration-wall so I read no further. I had in mind suggesting using IpCop on a spare computer between the router and the network, but see that it has not been updated since 2015, and the last item in the press for it was 2010. Peter -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Monitoring Internet Connectivity.
Hi Patrick, > I have got the impression from these messages that Tim might be quite > enjoying the cat and mouse game A motivator attacker seems prefereable to a consuming CC#2. :-) > and so going straight for the 'nuclear option' of RADIUS might spoil > the fun! True. It occurred to me that Draytek may already provide a RADIUS server, and Google says they do, https://www.draytek.co.uk/support/guides/kb-internal-radius, but it's behind a registration-wall so I read no further. -- Cheers, Ralph. -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
