Re: [WISPA]How to Authenticate/Protect (WasEthernetbasedauthentication)
Why don't you meet in the middle at my house. :) Ron Wallace wrote: Blair, Could we get together sometime. I like this architecture. I am at a point, ready to expand, that this is where I need to go. I'm over near Jackson. Ron Wallace Hahnron, Inc. 220 S. Jackson St. Addison, MI 49220 Phone: (517) 547-8410 Mobile: (517) 605-4542 e-mail: [EMAIL PROTECTED] -- Brian Rohrbacher Reliable Internet, LLC www.reliableinter.net Cell 269-838-8338 "Caught up in the Air" 1 Thess. 4:17 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication)
centers large enough to handle the size of the global outage. I often ask myself, would I be better off had I made my network simple, its likely we'd still have more of the larger profile customers. The reality is when a customer's bandwdith starts to be used, they are not smart enough to understand why it is being used, they just feel the performance. So usually a slow performing client, turns into a speed upgrade. Once they like you and have you, they don't think twice to upgrade to faster performance. I'm not saying is wrong. I plan on keeping a sophisticated routed network. I'm jsut saying, do it at the right time for you. When you install today, keep it simple, but buy gear that will allow you to transition to a more complicated design when you are at the stage to handle it, the stage when you need it.. PS. Some one said "IP authentication". What's that? Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Marlon K. Schafer (509) 982-2181" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Tuesday, December 06, 2005 7:55 PM Subject: Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication) Yeah, until some lunkhead plugs his dsl router in backward. As they do all the time around here No thanks, no more DHCP troubles for me. Been there done that. Twice. Never again. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: "Lonnie Nunweiler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "WISPA General List" Sent: Tuesday, December 06, 2005 2:27 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication) The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot, static DHCP based on MAC, ACL for association at the AP, any number of ways. DHCP has little to do with authentication, although it can be a part of the process. What DHCP does is automate the user TCP settings so that if you renumber your system in order to move to routing it is painless to assign new numbers. If you have to change DNS servers then that is also easy. Just change the DHCP config and within an hour everybody is using the new DNS. Don't run a network without it. It is priceless. Lonnie On 12/6/05, Ron Wallace <[EMAIL PROTECTED]> wrote: Lonnie, So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate the users. I'm a real rookie at this. Ron Wallace Original message >Date: Tue, 6 Dec 2005 11:52:08 -0800 >From: Lonnie Nunweiler <[EMAIL PROTECTED]> >Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) >To: WISPA General List > >If you take Marlon's advice and do not run DHCP then you get to have >that personal contact with each and every subscriber if you ever have >to change network settings. With DHCP running it is real simple and >quick to edit the DHCP config and wait for the DHCP client renewal . > >My advice is completely the opposite. Use DHCP for all of your >customers. You will be happy you did and will mutter things when you >encounter someone who is not on DHCP. > >The personal contact is nice but what if you have several hundred >customers? That is just a little too nice for my tastes. > >Lonnie > >On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]> wrote: >> Don't run DHCP! And use mac filtering at the ap's. (I use the smartbridges >> ap's. they'll do radius and authenticate wireless subs just like my dialup >> ones.) >> >> Marlon >> (509) 982-2181 Equipment sales >> (408) 907-6910 (Vonage)Consulting services >> 42846865 (icq)And I run my own wisp! >> 64.146.146.12 (net meeting) >> www.odessaoffice.com/wireless >> www.odessaoffice.com/marlon/cam >> >> >> >> - Original Message - >> From: "Jason" <[EMAIL PROTECTED]> >> To: "WISPA General List" >> Sent: Monday, December 05, 2005 9:39 PM >> Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet >> basedauthentication) >> >> >> > Marlon, >> > >> >I appreciate the advice. Mostly I am interested in bullet proof >> > authentication of my clients. Any suggestions? >> > >> > Jason >> > >> > Marlon K. Schafer (509) 982
Re: [WISPA]How to Authenticate/Protect (WasEthernetbasedauthentication)
Sure. Call me, or reply offlist. Also, as I see no overlap of our service areas, would you like to link directly to each other? Maybe something like" If you are looking for coverage in the Jackson area, try www.newgenet.net" on my site and "If you need service in Allegan County, try www.wmwisp.net" on your site. Just a thought Blair Ron Wallace wrote: Blair, Could we get together sometime. I like this architecture. I am at a point, ready to expand, that this is where I need to go. I'm over near Jackson. Ron Wallace Hahnron, Inc. 220 S. Jackson St. Addison, MI 49220 Phone: (517) 547-8410 Mobile: (517) 605-4542 e-mail: [EMAIL PROTECTED] -- Blair Davis AOL IM Screen Name -- Theory240 West Michigan Wireless ISP 269-686-8648 A division of: Camp Communication Services, INC -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA]How to Authenticate/Protect (WasEthernetbasedauthentication)
Blair, Could we get together sometime. I like this architecture. I am at a point, ready to expand, that this is where I need to go. I'm over near Jackson. Ron Wallace Hahnron, Inc. 220 S. Jackson St. Addison, MI 49220 Phone: (517) 547-8410 Mobile: (517) 605-4542 e-mail: [EMAIL PROTECTED] -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication)
How were you looking at routing to use 3 for 1? I have never setup routing that way and would like to be sure I don't. I am running fully routed from the get-go, with 3 internal routers and a 4th going in Friday. Actually 2 MTs as router only and 2 that are "routing APs". Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net The season is Christmas, not X-mas, not the holiday, but Christmas, because Christ was born to provide salvation to all who will believe! -- Original Message --- From: "Marlon K. Schafer (509) 982-2181" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Wed, 7 Dec 2005 10:05:52 -0800 Subject: Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication) > The idea, for me is that by the time a company gets to the point that they > need to route they'll either know what they are doing. And/or they'll have > someone on staff just to handle that issue. > > The other problem I ran into back when was a shortage of ip addys. And > routing to every customer wastes three ip addys for every one you get to > actually use. I don't think that's responsible stewardship. > > My new ap's block client to client communications, and new manages switches > that will vlan and packet filter will be the next upgrades I'll do. > > We just broke the network in two. So I've got 150ish broadband subs on one > system and 150 on another. Not exact numbers but close. One of the systems > went from t-1 to 10 meg so I don't have good numbers as to performance > issues. > > The other one still has 100 megs coming into it. On that system I see no > difference. > > I'm sure there's room for improvement. There always will be if a guy wants > to stay anywhere near the head of the pack. > > One other thing that's not been brought up yet is over building. Today we > can build 3 to 10x more capacity into the network than the average customer > is demanding for the same cost or very nearly so as building to meet > customer demands. Having more capacity than is needed, so far, is allowing > us to significantly simplify the network. Anyone can walk in here tomorrow > and take over with a few phone calls to tech support at most. There's > nothing fancy going on here. That's part of why I can take care of 250 > wireless subs, 50 fiber customers and hundreds of dialup people with me and > two gals that share a part time office job. Our wireless churn is almost > nil. I've lost a couple lately due to some trouble at a tower site. It's > caused by jerk off competitors and their 1 watt amps and 15+ db sector > antennas though. And I tried to use a $120 sector where I normally use $400 > ones. I'm not sure I'll ever learn that lesson :-). > > Will we have to redo the network at some point in the future? Sure. Will > it suck? Sure. But that's then and this is now. We just redid half of it > and it sucked. Big time. But only for a few days. WE have taken the time > to teach our customers how to do their own networking stuff just like we > took the time to teach them how to do their own dialup stuff. When we need > to make changes (or the customer changes their gear) they can usually take > care of it themselves or with a little help from us via the phone. > > Both models work. The real trick is making sure that they get deployed in > the right situation. Too big of a hammer is sometimes just as bad as too > small of a one or vice verse. > > Oh yeah, I'm tired of hearing small networks getting talked down to. With > 100 subs the average guy should be putting $2,000 to $3,000 per month in the > bank. That's enough money to keep the average mom home with the kids! We'd > be there today if we would just stop growing. Man, a mom at home with the > kids AND good cars to drive and a dad that's not working 80 hours per week. > Small WISPs are right in there with the American dream man! This is good > stuff! > > Laters, > Marlon > (509) 982-2181 Equipment sales > (408) 907-6910 (Vonage) Consulting services > 42846865 (icq) And I run my own wisp! > 64.146.146.12 (net meeting) > www.odessaoffice.com/wireless > www.odessaoffice.com/marlon/cam > > - Original Message - > From: "Lonnie Nunw
Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication)
The idea, for me is that by the time a company gets to the point that they need to route they'll either know what they are doing. And/or they'll have someone on staff just to handle that issue. The other problem I ran into back when was a shortage of ip addys. And routing to every customer wastes three ip addys for every one you get to actually use. I don't think that's responsible stewardship. My new ap's block client to client communications, and new manages switches that will vlan and packet filter will be the next upgrades I'll do. We just broke the network in two. So I've got 150ish broadband subs on one system and 150 on another. Not exact numbers but close. One of the systems went from t-1 to 10 meg so I don't have good numbers as to performance issues. The other one still has 100 megs coming into it. On that system I see no difference. I'm sure there's room for improvement. There always will be if a guy wants to stay anywhere near the head of the pack. One other thing that's not been brought up yet is over building. Today we can build 3 to 10x more capacity into the network than the average customer is demanding for the same cost or very nearly so as building to meet customer demands. Having more capacity than is needed, so far, is allowing us to significantly simplify the network. Anyone can walk in here tomorrow and take over with a few phone calls to tech support at most. There's nothing fancy going on here. That's part of why I can take care of 250 wireless subs, 50 fiber customers and hundreds of dialup people with me and two gals that share a part time office job. Our wireless churn is almost nil. I've lost a couple lately due to some trouble at a tower site. It's caused by jerk off competitors and their 1 watt amps and 15+ db sector antennas though. And I tried to use a $120 sector where I normally use $400 ones. I'm not sure I'll ever learn that lesson :-). Will we have to redo the network at some point in the future? Sure. Will it suck? Sure. But that's then and this is now. We just redid half of it and it sucked. Big time. But only for a few days. WE have taken the time to teach our customers how to do their own networking stuff just like we took the time to teach them how to do their own dialup stuff. When we need to make changes (or the customer changes their gear) they can usually take care of it themselves or with a little help from us via the phone. Both models work. The real trick is making sure that they get deployed in the right situation. Too big of a hammer is sometimes just as bad as too small of a one or vice verse. Oh yeah, I'm tired of hearing small networks getting talked down to. With 100 subs the average guy should be putting $2,000 to $3,000 per month in the bank. That's enough money to keep the average mom home with the kids! We'd be there today if we would just stop growing. Man, a mom at home with the kids AND good cars to drive and a dad that's not working 80 hours per week. Small WISPs are right in there with the American dream man! This is good stuff! Laters, Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: "Lonnie Nunweiler" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Tuesday, December 06, 2005 5:43 PM Subject: Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication) And that is the second thing that guys do wrong. They use simple bridged clients which are vulnerable to the issue of the backwards router and they create a host of other issues. You are building a network that connects to the Internet so why not use the same network design that the Internet uses? Routed. Sure you will find sections that are bridged but anything that leaves the backbone is routed to the customer. Bridged or rather no design is fine for small simple networks. Just plug things in and get on to the next job. As you grow the troubles will begin and then, eventually, you will have to reorganize your entire network and move to a routed design. Why wait for all that pain? Do it right, from the start. Allow yourself to grow and not have to go through that second painful redesign. I am usually silent and just watch the lists, but when I see wrong advice given I cannot watch in silence. It is wrong to not use DHCP and it is wrong to use a bridged design. If you have intentions of doing any sort of large customer base, please plan it correctly from the start. Do not listen to the guys who tell you to do it quick and dirty. I know this sounds prea
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
We do it a bit differently We run a routed network with static, private IP's. Each tower is assigned a private IP subnet. Clients are assigned a private, static IP in the subnet of the tower they connect to. MikroTiks at my T1's control NAT rules that enable and disable individual clients. This also allows us to easily run point to point traffic across our wireless network to link a customers remote sites together without loading our T1's down. We also use this to provide special services to our agricultural clients including remote sensor monitoring, remote control of equipment and video monitoring. We also firewall all our clients... -- Blair Davis AOL IM Screen Name -- Theory240 West Michigan Wireless ISP 269-686-8648 A division of: Camp Communication Services, INC -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
Mac Dearman wrote: Well, I agree to a point with both of you (Nunweiler & Marlon)- - you know I am different - - kinda like rocky roads ice cream, just sweeter :-) I don't like DHCP for the client as its just too easy and requires no interaction with the client - EVER! I also dont like the fact that you get all the info you need to successfully connect to the internet "automatically" when you point "any" WiFi compatible device at one of my towers. I might as well give you the keys to my lock box in the bank :-) I think I will leave the DHCP off, make a trip to your house and assign your IP statically as well as your DNS. I dont ever foresee changing my DNS servers addys, but if I do then its just a matter of making DNS resolve to whatever I want it to. Its all in DNS baby :-) On the other hand - - If you do DHCP and someone plugs their router in backwards you are screwed! There are no "ifs" "ands" or "buts" - - all you are lacking is the tattoo! If any portion of your network is set to receive a DHCP number - - it will do just that - - it dont care where it comes from - - it just wants a number and whoever/whatever answers the DHCP request - - its got a number that fits the niche even though it will totally disable the persons internet connection. I aint for sure if I made it to the other hand yet or not so I shall continue till I run out of Margaritas (new recipe) or chicken.(ancient Chinese secret) Doing a static routed network is for the birds!! I am not calling any names, but I have personally witnessed several "mighty fine" wireless Gurus sit at the base of a tower and hack away 5 pages (front and back) (hours!) of legal paper with static routes on them to add a new Access point!! If you get 1 static route upstream wrong (read - - one number) then you aint done JACK! Static routes is not the answer either. Static routing is just like bridging - - it will get you by a while, but you will surely move on to the real answer - -OSPF I have tried doing the static routing and I will tell you its like pulling my own teeth with out any anesthetics. It is not an answer, but a short term thing that could definitely last longer than bridging - - its a fact. If a man wants to do something that will put him a long time in the future before having to do anything different - - I mean in excess of several thousand clients I suggest this: 1. Do not do DHCP - -assign static IPs Does anyone know what DHCP *RESERVATIONS* are for? You don't get an address unless you are assigned an address based on client MAC address 2. implement OSPF and route your backbone Good stuff maynard... 3. Bridge from the AP to the client - (get real, why would you need to route to the client? where else can the traffic go if the backbone is routed and its a one way street?) 4. Do MAC with IP authentication via radius - or - PPPoE (either one is a real solution) each have their strengths and weaknesses 5. OSPF! (redundancy - YES!) 6. A really good "MikroTik Man" on the payroll and RB532's I do have suggestions and a name for this man!! call me! 7. DO NOT BUILD A TOTALLY BRIDGED NETWORK - - unless you plan to stay a really small fish (minnow) in a really big Ocean! I can attest what a mistake a bridged network can/will be! I can also attest to how easy it is to build, how FINE it runs and how fast that sucker will crumble down to the ground as you are standing at a keyboard trying all you know how to - - to no avail!! I can attest that you will learn a lot of stuff the hard way, how close you will learn such tools as Ethereal and angry ip, how much time you (& in my case - my wife) will spend hunting a single vicious virus on a tremendous network because it affects a bridged network like the "walking" Pneumonia affects you and I - - its effects move around on the network!! O - - I can tell you some horror stories alright, but better than calling me - - call my wife! Alright - - I now am stepping off my soap box and the floor is open! hehehehehe( I am not opinionated) Margaritas anyone? Mac Dearman Maximum Access, LLC. www.inetsouth.com www.radioresponse.org (Katrina relief efforts) 318-728-8600 - Rayville 318-728-9600 318-376-2562 - cell -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
On Tue, 6 Dec 2005, Mac Dearman wrote: Margaritas anyone? Bring 'em on, Mac! I need one (quart) after that. :-) -- Butch Evans BPS Networks http://www.bpsnetworks.com/ Bernie, MO Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
On Tue, 6 Dec 2005, Lonnie Nunweiler wrote: And that is the second thing that guys do wrong. They use simple bridged clients which are vulnerable to the issue of the backwards router and they create a host of other issues. Lonnie, I will give you an AMEN (again) for touting the many benefits of a properly designed network. I am right there with ya. I hope it "takes" for some folks here. I am usually silent and just watch the lists, but when I see wrong advice given I cannot watch in silence. It is wrong to not use DHCP and it is wrong to use a bridged design. If you have intentions of For the most part, I would agree with this. DHCP is good idea. PPPoE is better (IMHO). Both offer the benefits of easy renumbering. PPPoE offers authentication as a "bonus". Hotspot will do the same thing and (perhaps) even better authentication if properly implemented. As for being "wrong" to not use DHCP...well, that is a matter of design. I will agree with the idea that a bridged network is a very poor design choice...but you all knew that about me anyway. ;-) -- Butch Evans BPS Networks http://www.bpsnetworks.com/ Bernie, MO Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
On Tue, 6 Dec 2005, Marlon K. Schafer (509) 982-2181 wrote: Yeah, until some lunkhead plugs his dsl router in backward. As they do all the time around here Mikrotik has a builtin option that will discover rogue DHCP servers. It will identify the MAC addy of the rogue server. A simple removal (or identification of) that MAC from the ACL on the tower will eliminate this as an issue. -- Butch Evans BPS Networks http://www.bpsnetworks.com/ Bernie, MO Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
that second painful redesign. I am usually silent and just watch the lists, but when I see wrong advice given I cannot watch in silence. It is wrong to not use DHCP and it is wrong to use a bridged design. If you have intentions of doing any sort of large customer base, please plan it correctly from the start. Do not listen to the guys who tell you to do it quick and dirty. I know this sounds preachy, but man, I get 10 calls a day from people who have stated out quick and dirty and they reach a certain size or get certain types of traffic, and their network just collapses. The fix is to go to routed and when they realize how much work it is to convert it, they all wish they had followed my consistent advice. For more than 5 years I have said the same thing on the various lists. I even got kicked off the Judd list for not backing down and agreeing that hacked together bridges were the way to go. Regards, Lonnie On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]> wrote: Yeah, until some lunkhead plugs his dsl router in backward. As they do all the time around here No thanks, no more DHCP troubles for me. Been there done that. Twice. Never again. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: "Lonnie Nunweiler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "WISPA General List" Sent: Tuesday, December 06, 2005 2:27 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication) The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot, static DHCP based on MAC, ACL for association at the AP, any number of ways. DHCP has little to do with authentication, although it can be a part of the process. What DHCP does is automate the user TCP settings so that if you renumber your system in order to move to routing it is painless to assign new numbers. If you have to change DNS servers then that is also easy. Just change the DHCP config and within an hour everybody is using the new DNS. Don't run a network without it. It is priceless. Lonnie On 12/6/05, Ron Wallace <[EMAIL PROTECTED]> wrote: Lonnie, So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate the users. I'm a real rookie at this. Ron Wallace Original message Date: Tue, 6 Dec 2005 11:52:08 -0800 From: Lonnie Nunweiler <[EMAIL PROTECTED]> Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) To: WISPA General List If you take Marlon's advice and do not run DHCP then you get to have that personal contact with each and every subscriber if you ever have to change network settings. With DHCP running it is real simple and quick to edit the DHCP config and wait for the DHCP client renewal . My advice is completely the opposite. Use DHCP for all of your customers. You will be happy you did and will mutter things when you encounter someone who is not on DHCP. The personal contact is nice but what if you have several hundred customers? That is just a little too nice for my tastes. Lonnie On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]> wrote: Don't run DHCP! And use mac filtering at the ap's. (I use the smartbridges ap's. they'll do radius and authenticate wireless subs just like my dialup ones.) Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: "Jason" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Monday, December 05, 2005 9:39 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) Marlon, I appreciate the advice. Mostly I am interested in bullet proof authentication of my clients. Any suggestions? Jason Marlon K. Schafer (509) 982-2181 wrote: Hiya Jason, You are mixing your networks You won't normally run a homebrew product to provide a top notch service. If security is of THAT great an importance to you, you should NOT run wifi anything. Put in something much more off the wall. It's a lot harder to snoop if you don't use one of the world's most common protocols. For these business guys I'd run Trango or something like that.
RE: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication)
That is why is so great to have a cpe that do nat routingdhcp client on the rf , dhcp server on the Ethernet... router backwards...no problems! Gino A. Villarini, Aeronet Wireless Broadband Corp. [EMAIL PROTECTED] www.aeronetpr.com 787.767.7466 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marlon K. Schafer (509) 982-2181 Sent: Tuesday, December 06, 2005 8:55 PM To: WISPA General List Subject: Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication) Yeah, until some lunkhead plugs his dsl router in backward. As they do all the time around here No thanks, no more DHCP troubles for me. Been there done that. Twice. Never again. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: "Lonnie Nunweiler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "WISPA General List" Sent: Tuesday, December 06, 2005 2:27 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication) The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot, static DHCP based on MAC, ACL for association at the AP, any number of ways. DHCP has little to do with authentication, although it can be a part of the process. What DHCP does is automate the user TCP settings so that if you renumber your system in order to move to routing it is painless to assign new numbers. If you have to change DNS servers then that is also easy. Just change the DHCP config and within an hour everybody is using the new DNS. Don't run a network without it. It is priceless. Lonnie On 12/6/05, Ron Wallace <[EMAIL PROTECTED]> wrote: > Lonnie, > So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate > the users. I'm a real rookie at this. > Ron Wallace > Original message > >Date: Tue, 6 Dec 2005 11:52:08 -0800 > >From: Lonnie Nunweiler <[EMAIL PROTECTED]> > >Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet > basedauthentication) > >To: WISPA General List > > > >If you take Marlon's advice and do not run DHCP then you get to have > >that personal contact with each and every subscriber if you ever have > >to change network settings. With DHCP running it is real simple and > >quick to edit the DHCP config and wait for the DHCP client renewal . > > > >My advice is completely the opposite. Use DHCP for all of your > >customers. You will be happy you did and will mutter things when you > >encounter someone who is not on DHCP. > > > >The personal contact is nice but what if you have several hundred > >customers? That is just a little too nice for my tastes. > > > >Lonnie > > > >On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]> > wrote: > >> Don't run DHCP! And use mac filtering at the ap's. (I use the > smartbridges > >> ap's. they'll do radius and authenticate wireless subs just like my > dialup > >> ones.) > >> > >> Marlon > >> (509) 982-2181 Equipment sales > >> (408) 907-6910 (Vonage)Consulting services > >> 42846865 (icq)And I run my own > wisp! > >> 64.146.146.12 (net meeting) > >> www.odessaoffice.com/wireless > >> www.odessaoffice.com/marlon/cam > >> > >> > >> > >> - Original Message - > >> From: "Jason" <[EMAIL PROTECTED]> > >> To: "WISPA General List" > >> Sent: Monday, December 05, 2005 9:39 PM > >> Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet > >> basedauthentication) > >> > >> > >> > Marlon, > >> > > >> >I appreciate the advice. Mostly I am interested in bullet proof > >> > authentication of my clients. Any suggestions? > >> > > >> > Jason > >> > > >> > Marlon K. Schafer (509) 982-2181 wrote: > >> > > >> >> Hiya Jason, > >> >> > >> >> You are mixing your networks You won't normally run a > homebrew > >> >> product to provide a top notch service. > >> >> > >> >> If security is of THAT great an importance to you, you should NOT > run > >> >> wifi anything. Put in something much more off the wall. It's a
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
And that is the second thing that guys do wrong. They use simple bridged clients which are vulnerable to the issue of the backwards router and they create a host of other issues. You are building a network that connects to the Internet so why not use the same network design that the Internet uses? Routed. Sure you will find sections that are bridged but anything that leaves the backbone is routed to the customer. Bridged or rather no design is fine for small simple networks. Just plug things in and get on to the next job. As you grow the troubles will begin and then, eventually, you will have to reorganize your entire network and move to a routed design. Why wait for all that pain? Do it right, from the start. Allow yourself to grow and not have to go through that second painful redesign. I am usually silent and just watch the lists, but when I see wrong advice given I cannot watch in silence. It is wrong to not use DHCP and it is wrong to use a bridged design. If you have intentions of doing any sort of large customer base, please plan it correctly from the start. Do not listen to the guys who tell you to do it quick and dirty. I know this sounds preachy, but man, I get 10 calls a day from people who have stated out quick and dirty and they reach a certain size or get certain types of traffic, and their network just collapses. The fix is to go to routed and when they realize how much work it is to convert it, they all wish they had followed my consistent advice. For more than 5 years I have said the same thing on the various lists. I even got kicked off the Judd list for not backing down and agreeing that hacked together bridges were the way to go. Regards, Lonnie On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]> wrote: > Yeah, until some lunkhead plugs his dsl router in backward. As they do all > the time around here > > No thanks, no more DHCP troubles for me. Been there done that. Twice. > Never again. > > Marlon > (509) 982-2181 Equipment sales > (408) 907-6910 (Vonage)Consulting services > 42846865 (icq)And I run my own wisp! > 64.146.146.12 (net meeting) > www.odessaoffice.com/wireless > www.odessaoffice.com/marlon/cam > > > > - Original Message - > From: "Lonnie Nunweiler" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; "WISPA General List" > Sent: Tuesday, December 06, 2005 2:27 PM > Subject: Re: [WISPA] How to Authenticate/Protect > (WasEthernetbasedauthentication) > > > The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot, > static DHCP based on MAC, ACL for association at the AP, any number of > ways. > > DHCP has little to do with authentication, although it can be a part > of the process. What DHCP does is automate the user TCP settings so > that if you renumber your system in order to move to routing it is > painless to assign new numbers. If you have to change DNS servers > then that is also easy. Just change the DHCP config and within an > hour everybody is using the new DNS. > > Don't run a network without it. It is priceless. > > Lonnie > > > On 12/6/05, Ron Wallace <[EMAIL PROTECTED]> wrote: > > Lonnie, > > So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate > > the users. I'm a real rookie at this. > > Ron Wallace > > Original message > > >Date: Tue, 6 Dec 2005 11:52:08 -0800 > > >From: Lonnie Nunweiler <[EMAIL PROTECTED]> > > >Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet > > basedauthentication) > > >To: WISPA General List > > > > > >If you take Marlon's advice and do not run DHCP then you get to have > > >that personal contact with each and every subscriber if you ever have > > >to change network settings. With DHCP running it is real simple and > > >quick to edit the DHCP config and wait for the DHCP client renewal . > > > > > >My advice is completely the opposite. Use DHCP for all of your > > >customers. You will be happy you did and will mutter things when you > > >encounter someone who is not on DHCP. > > > > > >The personal contact is nice but what if you have several hundred > > >customers? That is just a little too nice for my tastes. > > > > > >Lonnie > > > > > >On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]> > > wrote: > > >> Don't run DHCP! And use mac filtering at the ap's. (I use the > > smartbridges > > >> ap's. they'll do radius and authenticate wireless subs just like my &g
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
Yeah, until some lunkhead plugs his dsl router in backward. As they do all the time around here No thanks, no more DHCP troubles for me. Been there done that. Twice. Never again. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: "Lonnie Nunweiler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "WISPA General List" Sent: Tuesday, December 06, 2005 2:27 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication) The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot, static DHCP based on MAC, ACL for association at the AP, any number of ways. DHCP has little to do with authentication, although it can be a part of the process. What DHCP does is automate the user TCP settings so that if you renumber your system in order to move to routing it is painless to assign new numbers. If you have to change DNS servers then that is also easy. Just change the DHCP config and within an hour everybody is using the new DNS. Don't run a network without it. It is priceless. Lonnie On 12/6/05, Ron Wallace <[EMAIL PROTECTED]> wrote: Lonnie, So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate the users. I'm a real rookie at this. Ron Wallace Original message >Date: Tue, 6 Dec 2005 11:52:08 -0800 >From: Lonnie Nunweiler <[EMAIL PROTECTED]> >Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) >To: WISPA General List > >If you take Marlon's advice and do not run DHCP then you get to have >that personal contact with each and every subscriber if you ever have >to change network settings. With DHCP running it is real simple and >quick to edit the DHCP config and wait for the DHCP client renewal . > >My advice is completely the opposite. Use DHCP for all of your >customers. You will be happy you did and will mutter things when you >encounter someone who is not on DHCP. > >The personal contact is nice but what if you have several hundred >customers? That is just a little too nice for my tastes. > >Lonnie > >On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]> wrote: >> Don't run DHCP! And use mac filtering at the ap's. (I use the smartbridges >> ap's. they'll do radius and authenticate wireless subs just like my dialup >> ones.) >> >> Marlon >> (509) 982-2181 Equipment sales >> (408) 907-6910 (Vonage)Consulting services >> 42846865 (icq)And I run my own wisp! >> 64.146.146.12 (net meeting) >> www.odessaoffice.com/wireless >> www.odessaoffice.com/marlon/cam >> >> >> >> - Original Message - >> From: "Jason" <[EMAIL PROTECTED]> >> To: "WISPA General List" >> Sent: Monday, December 05, 2005 9:39 PM >> Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet >> basedauthentication) >> >> >> > Marlon, >> > >> >I appreciate the advice. Mostly I am interested in bullet proof >> > authentication of my clients. Any suggestions? >> > >> > Jason >> > >> > Marlon K. Schafer (509) 982-2181 wrote: >> > >> >> Hiya Jason, >> >> >> >> You are mixing your networks You won't normally run a homebrew >> >> product to provide a top notch service. >> >> >> >> If security is of THAT great an importance to you, you should NOT run >> >> wifi anything. Put in something much more off the wall. It's a lot >> >> harder to snoop if you don't use one of the world's most common >> >> protocols. >> >> >> >> For these business guys I'd run Trango or something like that. Good >> >> stuff but not nearly as much of it in use and no free tools on the >> >> internet for intercepting and cracking the data stream. >> >> >> >> What we do is remind our customers that this is the internet. They are >> >> hanging out there for thousands upon thousands of people who's only >> >> purpose in life is breaking into their machines and seeing what they can >> >> learn. If they have data that's that sensitive then they need a high end >> >> internal firewall and they need to VPN all internet traffic. >&g