Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
Mac Dearman wrote: Well, I agree to a point with both of you (Nunweiler Marlon)- - you know I am different - - kinda like rocky roads ice cream, just sweeter :-) I don't like DHCP for the client as its just too easy and requires no interaction with the client - EVER! I also dont like the fact that you get all the info you need to successfully connect to the internet automatically when you point any WiFi compatible device at one of my towers. I might as well give you the keys to my lock box in the bank :-) I think I will leave the DHCP off, make a trip to your house and assign your IP statically as well as your DNS. I dont ever foresee changing my DNS servers addys, but if I do then its just a matter of making DNS resolve to whatever I want it to. Its all in DNS baby :-) On the other hand - - If you do DHCP and someone plugs their router in backwards you are screwed! There are no ifs ands or buts - - all you are lacking is the tattoo! If any portion of your network is set to receive a DHCP number - - it will do just that - - it dont care where it comes from - - it just wants a number and whoever/whatever answers the DHCP request - - its got a number that fits the niche even though it will totally disable the persons internet connection. I aint for sure if I made it to the other hand yet or not so I shall continue till I run out of Margaritas (new recipe) or chicken.(ancient Chinese secret) Doing a static routed network is for the birds!! I am not calling any names, but I have personally witnessed several mighty fine wireless Gurus sit at the base of a tower and hack away 5 pages (front and back) (hours!) of legal paper with static routes on them to add a new Access point!! If you get 1 static route upstream wrong (read - - one number) then you aint done JACK! Static routes is not the answer either. Static routing is just like bridging - - it will get you by a while, but you will surely move on to the real answer - -OSPF I have tried doing the static routing and I will tell you its like pulling my own teeth with out any anesthetics. It is not an answer, but a short term thing that could definitely last longer than bridging - - its a fact. If a man wants to do something that will put him a long time in the future before having to do anything different - - I mean in excess of several thousand clients I suggest this: 1. Do not do DHCP - -assign static IPs Does anyone know what DHCP *RESERVATIONS* are for? You don't get an address unless you are assigned an address based on client MAC address 2. implement OSPF and route your backbone Good stuff maynard... 3. Bridge from the AP to the client - (get real, why would you need to route to the client? where else can the traffic go if the backbone is routed and its a one way street?) 4. Do MAC with IP authentication via radius - or - PPPoE (either one is a real solution) each have their strengths and weaknesses 5. OSPF! (redundancy - YES!) 6. A really good MikroTik Man on the payroll and RB532's I do have suggestions and a name for this man!! call me! 7. DO NOT BUILD A TOTALLY BRIDGED NETWORK - - unless you plan to stay a really small fish (minnow) in a really big Ocean! I can attest what a mistake a bridged network can/will be! I can also attest to how easy it is to build, how FINE it runs and how fast that sucker will crumble down to the ground as you are standing at a keyboard trying all you know how to - - to no avail!! I can attest that you will learn a lot of stuff the hard way, how close you will learn such tools as Ethereal and angry ip, how much time you ( in my case - my wife) will spend hunting a single vicious virus on a tremendous network because it affects a bridged network like the walking Pneumonia affects you and I - - its effects move around on the network!! O - - I can tell you some horror stories alright, but better than calling me - - call my wife! Alright - - I now am stepping off my soap box and the floor is open! hehehehehe( I am not opinionated) Margaritas anyone? Mac Dearman Maximum Access, LLC. www.inetsouth.com www.radioresponse.org (Katrina relief efforts) 318-728-8600 - Rayville 318-728-9600 318-376-2562 - cell SNIP -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
We do it a bit differently We run a routed network with static, private IP's. Each tower is assigned a private IP subnet. Clients are assigned a private, static IP in the subnet of the tower they connect to. MikroTiks at my T1's control NAT rules that enable and disable individual clients. This also allows us to easily run point to point traffic across our wireless network to link a customers remote sites together without loading our T1's down. We also use this to provide special services to our agricultural clients including remote sensor monitoring, remote control of equipment and video monitoring. We also firewall all our clients... -- Blair Davis AOL IM Screen Name -- Theory240 West Michigan Wireless ISP 269-686-8648 A division of: Camp Communication Services, INC -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication)
The idea, for me is that by the time a company gets to the point that they need to route they'll either know what they are doing. And/or they'll have someone on staff just to handle that issue. The other problem I ran into back when was a shortage of ip addys. And routing to every customer wastes three ip addys for every one you get to actually use. I don't think that's responsible stewardship. My new ap's block client to client communications, and new manages switches that will vlan and packet filter will be the next upgrades I'll do. We just broke the network in two. So I've got 150ish broadband subs on one system and 150 on another. Not exact numbers but close. One of the systems went from t-1 to 10 meg so I don't have good numbers as to performance issues. The other one still has 100 megs coming into it. On that system I see no difference. I'm sure there's room for improvement. There always will be if a guy wants to stay anywhere near the head of the pack. One other thing that's not been brought up yet is over building. Today we can build 3 to 10x more capacity into the network than the average customer is demanding for the same cost or very nearly so as building to meet customer demands. Having more capacity than is needed, so far, is allowing us to significantly simplify the network. Anyone can walk in here tomorrow and take over with a few phone calls to tech support at most. There's nothing fancy going on here. That's part of why I can take care of 250 wireless subs, 50 fiber customers and hundreds of dialup people with me and two gals that share a part time office job. Our wireless churn is almost nil. I've lost a couple lately due to some trouble at a tower site. It's caused by jerk off competitors and their 1 watt amps and 15+ db sector antennas though. And I tried to use a $120 sector where I normally use $400 ones. I'm not sure I'll ever learn that lesson :-). Will we have to redo the network at some point in the future? Sure. Will it suck? Sure. But that's then and this is now. We just redid half of it and it sucked. Big time. But only for a few days. WE have taken the time to teach our customers how to do their own networking stuff just like we took the time to teach them how to do their own dialup stuff. When we need to make changes (or the customer changes their gear) they can usually take care of it themselves or with a little help from us via the phone. Both models work. The real trick is making sure that they get deployed in the right situation. Too big of a hammer is sometimes just as bad as too small of a one or vice verse. Oh yeah, I'm tired of hearing small networks getting talked down to. With 100 subs the average guy should be putting $2,000 to $3,000 per month in the bank. That's enough money to keep the average mom home with the kids! We'd be there today if we would just stop growing. Man, a mom at home with the kids AND good cars to drive and a dad that's not working 80 hours per week. Small WISPs are right in there with the American dream man! This is good stuff! Laters, Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Lonnie Nunweiler [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Tuesday, December 06, 2005 5:43 PM Subject: Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication) And that is the second thing that guys do wrong. They use simple bridged clients which are vulnerable to the issue of the backwards router and they create a host of other issues. You are building a network that connects to the Internet so why not use the same network design that the Internet uses? Routed. Sure you will find sections that are bridged but anything that leaves the backbone is routed to the customer. Bridged or rather no design is fine for small simple networks. Just plug things in and get on to the next job. As you grow the troubles will begin and then, eventually, you will have to reorganize your entire network and move to a routed design. Why wait for all that pain? Do it right, from the start. Allow yourself to grow and not have to go through that second painful redesign. I am usually silent and just watch the lists, but when I see wrong advice given I cannot watch in silence. It is wrong to not use DHCP and it is wrong to use a bridged design. If you have intentions of doing any sort of large customer base, please plan it correctly from the start. Do not listen to the guys who tell you to do it quick and dirty. I know this sounds preachy, but man, I get 10 calls a day from people who have stated out quick and dirty and they reach a certain size or get
Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication)
How were you looking at routing to use 3 for 1? I have never setup routing that way and would like to be sure I don't. I am running fully routed from the get-go, with 3 internal routers and a 4th going in Friday. Actually 2 MTs as router only and 2 that are routing APs. Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net The season is Christmas, not X-mas, not the holiday, but Christmas, because Christ was born to provide salvation to all who will believe! -- Original Message --- From: Marlon K. Schafer (509) 982-2181 [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Wed, 7 Dec 2005 10:05:52 -0800 Subject: Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication) The idea, for me is that by the time a company gets to the point that they need to route they'll either know what they are doing. And/or they'll have someone on staff just to handle that issue. The other problem I ran into back when was a shortage of ip addys. And routing to every customer wastes three ip addys for every one you get to actually use. I don't think that's responsible stewardship. My new ap's block client to client communications, and new manages switches that will vlan and packet filter will be the next upgrades I'll do. We just broke the network in two. So I've got 150ish broadband subs on one system and 150 on another. Not exact numbers but close. One of the systems went from t-1 to 10 meg so I don't have good numbers as to performance issues. The other one still has 100 megs coming into it. On that system I see no difference. I'm sure there's room for improvement. There always will be if a guy wants to stay anywhere near the head of the pack. One other thing that's not been brought up yet is over building. Today we can build 3 to 10x more capacity into the network than the average customer is demanding for the same cost or very nearly so as building to meet customer demands. Having more capacity than is needed, so far, is allowing us to significantly simplify the network. Anyone can walk in here tomorrow and take over with a few phone calls to tech support at most. There's nothing fancy going on here. That's part of why I can take care of 250 wireless subs, 50 fiber customers and hundreds of dialup people with me and two gals that share a part time office job. Our wireless churn is almost nil. I've lost a couple lately due to some trouble at a tower site. It's caused by jerk off competitors and their 1 watt amps and 15+ db sector antennas though. And I tried to use a $120 sector where I normally use $400 ones. I'm not sure I'll ever learn that lesson :-). Will we have to redo the network at some point in the future? Sure. Will it suck? Sure. But that's then and this is now. We just redid half of it and it sucked. Big time. But only for a few days. WE have taken the time to teach our customers how to do their own networking stuff just like we took the time to teach them how to do their own dialup stuff. When we need to make changes (or the customer changes their gear) they can usually take care of it themselves or with a little help from us via the phone. Both models work. The real trick is making sure that they get deployed in the right situation. Too big of a hammer is sometimes just as bad as too small of a one or vice verse. Oh yeah, I'm tired of hearing small networks getting talked down to. With 100 subs the average guy should be putting $2,000 to $3,000 per month in the bank. That's enough money to keep the average mom home with the kids! We'd be there today if we would just stop growing. Man, a mom at home with the kids AND good cars to drive and a dad that's not working 80 hours per week. Small WISPs are right in there with the American dream man! This is good stuff! Laters, Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage) Consulting services 42846865 (icq) And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Lonnie Nunweiler [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Tuesday, December 06, 2005 5:43 PM Subject: Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication) And that is the second thing that guys do wrong. They use simple bridged clients which are vulnerable to the issue of the backwards router and they create a host of other issues. You
Re: [WISPA]How to Authenticate/Protect (WasEthernetbasedauthentication)
Blair, Could we get together sometime. I like this architecture. I am at a point, ready to expand, that this is where I need to go. I'm over near Jackson. Ron Wallace Hahnron, Inc. 220 S. Jackson St. Addison, MI 49220 Phone: (517) 547-8410 Mobile: (517) 605-4542 e-mail: [EMAIL PROTECTED] -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA]How to Authenticate/Protect (WasEthernetbasedauthentication)
Sure. Call me, or reply offlist. Also, as I see no overlap of our service areas, would you like to link directly to each other? Maybe something like If you are looking for coverage in the Jackson area, try www.newgenet.net on my site and If you need service in Allegan County, try www.wmwisp.net on your site. Just a thought Blair Ron Wallace wrote: Blair, Could we get together sometime. I like this architecture. I am at a point, ready to expand, that this is where I need to go. I'm over near Jackson. Ron Wallace Hahnron, Inc. 220 S. Jackson St. Addison, MI 49220 Phone: (517) 547-8410 Mobile: (517) 605-4542 e-mail: [EMAIL PROTECTED] -- Blair Davis AOL IM Screen Name -- Theory240 West Michigan Wireless ISP 269-686-8648 A division of: Camp Communication Services, INC -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication)
the size of the global outage. I often ask myself, would I be better off had I made my network simple, its likely we'd still have more of the larger profile customers. The reality is when a customer's bandwdith starts to be used, they are not smart enough to understand why it is being used, they just feel the performance. So usually a slow performing client, turns into a speed upgrade. Once they like you and have you, they don't think twice to upgrade to faster performance. I'm not saying is wrong. I plan on keeping a sophisticated routed network. I'm jsut saying, do it at the right time for you. When you install today, keep it simple, but buy gear that will allow you to transition to a more complicated design when you are at the stage to handle it, the stage when you need it.. PS. Some one said IP authentication. What's that? Tom DeReggi RapidDSL Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: Marlon K. Schafer (509) 982-2181 [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Tuesday, December 06, 2005 7:55 PM Subject: Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication) Yeah, until some lunkhead plugs his dsl router in backward. As they do all the time around here No thanks, no more DHCP troubles for me. Been there done that. Twice. Never again. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Lonnie Nunweiler [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, December 06, 2005 2:27 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication) The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot, static DHCP based on MAC, ACL for association at the AP, any number of ways. DHCP has little to do with authentication, although it can be a part of the process. What DHCP does is automate the user TCP settings so that if you renumber your system in order to move to routing it is painless to assign new numbers. If you have to change DNS servers then that is also easy. Just change the DHCP config and within an hour everybody is using the new DNS. Don't run a network without it. It is priceless. Lonnie On 12/6/05, Ron Wallace [EMAIL PROTECTED] wrote: Lonnie, So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate the users. I'm a real rookie at this. Ron Wallace Original message Date: Tue, 6 Dec 2005 11:52:08 -0800 From: Lonnie Nunweiler [EMAIL PROTECTED] Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) To: WISPA General List wireless@wispa.org If you take Marlon's advice and do not run DHCP then you get to have that personal contact with each and every subscriber if you ever have to change network settings. With DHCP running it is real simple and quick to edit the DHCP config and wait for the DHCP client renewal . My advice is completely the opposite. Use DHCP for all of your customers. You will be happy you did and will mutter things when you encounter someone who is not on DHCP. The personal contact is nice but what if you have several hundred customers? That is just a little too nice for my tastes. Lonnie On 12/6/05, Marlon K. Schafer (509) 982-2181 [EMAIL PROTECTED] wrote: Don't run DHCP! And use mac filtering at the ap's. (I use the smartbridges ap's. they'll do radius and authenticate wireless subs just like my dialup ones.) Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Jason [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Monday, December 05, 2005 9:39 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) Marlon, I appreciate the advice. Mostly I am interested in bullet proof authentication of my clients. Any suggestions? Jason Marlon K. Schafer (509) 982-2181 wrote: Hiya Jason, You are mixing your networks You won't normally run a homebrew product to provide a top notch service. If security is of THAT great an importance to you, you should NOT run wifi anything. Put in something much more off the wall. It's a lot harder to snoop if you don't use one of the world's most common protocols. For these business guys I'd run Trango or something like that. Good stuff but not nearly as much of it in use and no free tools on the internet for intercepting
Re: [WISPA]How to Authenticate/Protect (WasEthernetbasedauthentication)
Why don't you meet in the middle at my house. :) Ron Wallace wrote: Blair, Could we get together sometime. I like this architecture. I am at a point, ready to expand, that this is where I need to go. I'm over near Jackson. Ron Wallace Hahnron, Inc. 220 S. Jackson St. Addison, MI 49220 Phone: (517) 547-8410 Mobile: (517) 605-4542 e-mail: [EMAIL PROTECTED] -- Brian Rohrbacher Reliable Internet, LLC www.reliableinter.net Cell 269-838-8338 Caught up in the Air 1 Thess. 4:17 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
Yeah, until some lunkhead plugs his dsl router in backward. As they do all the time around here No thanks, no more DHCP troubles for me. Been there done that. Twice. Never again. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Lonnie Nunweiler [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, December 06, 2005 2:27 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication) The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot, static DHCP based on MAC, ACL for association at the AP, any number of ways. DHCP has little to do with authentication, although it can be a part of the process. What DHCP does is automate the user TCP settings so that if you renumber your system in order to move to routing it is painless to assign new numbers. If you have to change DNS servers then that is also easy. Just change the DHCP config and within an hour everybody is using the new DNS. Don't run a network without it. It is priceless. Lonnie On 12/6/05, Ron Wallace [EMAIL PROTECTED] wrote: Lonnie, So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate the users. I'm a real rookie at this. Ron Wallace Original message Date: Tue, 6 Dec 2005 11:52:08 -0800 From: Lonnie Nunweiler [EMAIL PROTECTED] Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) To: WISPA General List wireless@wispa.org If you take Marlon's advice and do not run DHCP then you get to have that personal contact with each and every subscriber if you ever have to change network settings. With DHCP running it is real simple and quick to edit the DHCP config and wait for the DHCP client renewal . My advice is completely the opposite. Use DHCP for all of your customers. You will be happy you did and will mutter things when you encounter someone who is not on DHCP. The personal contact is nice but what if you have several hundred customers? That is just a little too nice for my tastes. Lonnie On 12/6/05, Marlon K. Schafer (509) 982-2181 [EMAIL PROTECTED] wrote: Don't run DHCP! And use mac filtering at the ap's. (I use the smartbridges ap's. they'll do radius and authenticate wireless subs just like my dialup ones.) Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Jason [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Monday, December 05, 2005 9:39 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) Marlon, I appreciate the advice. Mostly I am interested in bullet proof authentication of my clients. Any suggestions? Jason Marlon K. Schafer (509) 982-2181 wrote: Hiya Jason, You are mixing your networks You won't normally run a homebrew product to provide a top notch service. If security is of THAT great an importance to you, you should NOT run wifi anything. Put in something much more off the wall. It's a lot harder to snoop if you don't use one of the world's most common protocols. For these business guys I'd run Trango or something like that. Good stuff but not nearly as much of it in use and no free tools on the internet for intercepting and cracking the data stream. What we do is remind our customers that this is the internet. They are hanging out there for thousands upon thousands of people who's only purpose in life is breaking into their machines and seeing what they can learn. If they have data that's that sensitive then they need a high end internal firewall and they need to VPN all internet traffic. That help? Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Jason [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Friday, December 02, 2005 3:20 PM Subject: [WISPA] How to Authenticate/Protect (Was Ethernet basedauthentication) List, I am on the precipice, ready to take the plunge and become a WISP (After 1 year of zoning, permits, 16 hr days, etc), but one thing still bothers me. I haven't decided how to authenticate clients to my network
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
And that is the second thing that guys do wrong. They use simple bridged clients which are vulnerable to the issue of the backwards router and they create a host of other issues. You are building a network that connects to the Internet so why not use the same network design that the Internet uses? Routed. Sure you will find sections that are bridged but anything that leaves the backbone is routed to the customer. Bridged or rather no design is fine for small simple networks. Just plug things in and get on to the next job. As you grow the troubles will begin and then, eventually, you will have to reorganize your entire network and move to a routed design. Why wait for all that pain? Do it right, from the start. Allow yourself to grow and not have to go through that second painful redesign. I am usually silent and just watch the lists, but when I see wrong advice given I cannot watch in silence. It is wrong to not use DHCP and it is wrong to use a bridged design. If you have intentions of doing any sort of large customer base, please plan it correctly from the start. Do not listen to the guys who tell you to do it quick and dirty. I know this sounds preachy, but man, I get 10 calls a day from people who have stated out quick and dirty and they reach a certain size or get certain types of traffic, and their network just collapses. The fix is to go to routed and when they realize how much work it is to convert it, they all wish they had followed my consistent advice. For more than 5 years I have said the same thing on the various lists. I even got kicked off the Judd list for not backing down and agreeing that hacked together bridges were the way to go. Regards, Lonnie On 12/6/05, Marlon K. Schafer (509) 982-2181 [EMAIL PROTECTED] wrote: Yeah, until some lunkhead plugs his dsl router in backward. As they do all the time around here No thanks, no more DHCP troubles for me. Been there done that. Twice. Never again. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Lonnie Nunweiler [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, December 06, 2005 2:27 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication) The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot, static DHCP based on MAC, ACL for association at the AP, any number of ways. DHCP has little to do with authentication, although it can be a part of the process. What DHCP does is automate the user TCP settings so that if you renumber your system in order to move to routing it is painless to assign new numbers. If you have to change DNS servers then that is also easy. Just change the DHCP config and within an hour everybody is using the new DNS. Don't run a network without it. It is priceless. Lonnie On 12/6/05, Ron Wallace [EMAIL PROTECTED] wrote: Lonnie, So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate the users. I'm a real rookie at this. Ron Wallace Original message Date: Tue, 6 Dec 2005 11:52:08 -0800 From: Lonnie Nunweiler [EMAIL PROTECTED] Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) To: WISPA General List wireless@wispa.org If you take Marlon's advice and do not run DHCP then you get to have that personal contact with each and every subscriber if you ever have to change network settings. With DHCP running it is real simple and quick to edit the DHCP config and wait for the DHCP client renewal . My advice is completely the opposite. Use DHCP for all of your customers. You will be happy you did and will mutter things when you encounter someone who is not on DHCP. The personal contact is nice but what if you have several hundred customers? That is just a little too nice for my tastes. Lonnie On 12/6/05, Marlon K. Schafer (509) 982-2181 [EMAIL PROTECTED] wrote: Don't run DHCP! And use mac filtering at the ap's. (I use the smartbridges ap's. they'll do radius and authenticate wireless subs just like my dialup ones.) Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Jason [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Monday, December 05, 2005 9:39 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
cannot watch in silence. It is wrong to not use DHCP and it is wrong to use a bridged design. If you have intentions of doing any sort of large customer base, please plan it correctly from the start. Do not listen to the guys who tell you to do it quick and dirty. I know this sounds preachy, but man, I get 10 calls a day from people who have stated out quick and dirty and they reach a certain size or get certain types of traffic, and their network just collapses. The fix is to go to routed and when they realize how much work it is to convert it, they all wish they had followed my consistent advice. For more than 5 years I have said the same thing on the various lists. I even got kicked off the Judd list for not backing down and agreeing that hacked together bridges were the way to go. Regards, Lonnie On 12/6/05, Marlon K. Schafer (509) 982-2181 [EMAIL PROTECTED] wrote: Yeah, until some lunkhead plugs his dsl router in backward. As they do all the time around here No thanks, no more DHCP troubles for me. Been there done that. Twice. Never again. Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Lonnie Nunweiler [EMAIL PROTECTED] To: [EMAIL PROTECTED]; WISPA General List wireless@wispa.org Sent: Tuesday, December 06, 2005 2:27 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication) The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot, static DHCP based on MAC, ACL for association at the AP, any number of ways. DHCP has little to do with authentication, although it can be a part of the process. What DHCP does is automate the user TCP settings so that if you renumber your system in order to move to routing it is painless to assign new numbers. If you have to change DNS servers then that is also easy. Just change the DHCP config and within an hour everybody is using the new DNS. Don't run a network without it. It is priceless. Lonnie On 12/6/05, Ron Wallace [EMAIL PROTECTED] wrote: Lonnie, So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate the users. I'm a real rookie at this. Ron Wallace Original message Date: Tue, 6 Dec 2005 11:52:08 -0800 From: Lonnie Nunweiler [EMAIL PROTECTED] Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) To: WISPA General List wireless@wispa.org If you take Marlon's advice and do not run DHCP then you get to have that personal contact with each and every subscriber if you ever have to change network settings. With DHCP running it is real simple and quick to edit the DHCP config and wait for the DHCP client renewal . My advice is completely the opposite. Use DHCP for all of your customers. You will be happy you did and will mutter things when you encounter someone who is not on DHCP. The personal contact is nice but what if you have several hundred customers? That is just a little too nice for my tastes. Lonnie On 12/6/05, Marlon K. Schafer (509) 982-2181 [EMAIL PROTECTED] wrote: Don't run DHCP! And use mac filtering at the ap's. (I use the smartbridges ap's. they'll do radius and authenticate wireless subs just like my dialup ones.) Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: Jason [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Monday, December 05, 2005 9:39 PM Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet basedauthentication) Marlon, I appreciate the advice. Mostly I am interested in bullet proof authentication of my clients. Any suggestions? Jason Marlon K. Schafer (509) 982-2181 wrote: Hiya Jason, You are mixing your networks You won't normally run a homebrew product to provide a top notch service. If security is of THAT great an importance to you, you should NOT run wifi anything. Put in something much more off the wall. It's a lot harder to snoop if you don't use one of the world's most common protocols. For these business guys I'd run Trango or something like that. Good stuff but not nearly as much of it in use and no free tools on the internet for intercepting and cracking the data stream. What we do is remind our customers that this is the internet
Re: [WISPA] How to Authenticate/Protect (WasEthernetbasedauthentication)
On Tue, 6 Dec 2005, Mac Dearman wrote: Margaritas anyone? Bring 'em on, Mac! I need one (quart) after that. :-) -- Butch Evans BPS Networks http://www.bpsnetworks.com/ Bernie, MO Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
