WPA-Enterprise requires a private key on the authentication server, but the AS doesn't have to run on the access point. In a distributed scenario like a community network, it's likely there would be a centralized AS. If you use good practices and don't use the same RADIUS key for all routers, then loosing one AP would likely compromise only sessions on that AP. The exception here is if fast credential roaming (like 802.11r) is used, in which case other sessions may be cached on the AP as well. Some distributed wireless systems use a lightweight AP and centralized controller (split-MAC architecture); in those instances not much of value (other than the hardware) is lost when an AP is compromised.
Christopher On Thu, Jun 18, 2015 at 2:55 AM, Russell Senior <[email protected]> wrote: > Does this idea require a keeping a private key on the router? If so, > that's a problem, since routers are often quite vulnerable to physical > access. If an entire community network relied on a single certificate > for authentication across all of their infrastructure (based on their > extended SSID), then losing one AP could mean complete compromise. > > On Thu, Jun 18, 2015 at 12:18 AM, Diderik van Wingerden > <[email protected]> wrote: > > Hi Mitar, > > > > Thanks for sharing. I am no expert on the subject, but it sounds like a > > great addition to open wireless (and wireless networking in general). So > > would it be possible to implement this in LibreCMC (or OpenWRT) for > > example? And would it then require something on the client's end? Like a > > new driver or certificate, as you mention? I mean, the solution would of > > course be adopted much faster if a client install/config of some sort > > would not be necessary, or at least be super easy. > > > > best regards, > > Diderik > > > > > > On 17-06-15 21:00, [email protected] wrote: > >> Send Tech mailing list submissions to > >> [email protected] > >> > >> To subscribe or unsubscribe via the World Wide Web, visit > >> https://srv1.openwireless.org/mailman/listinfo/tech > >> or, via email, send a message with subject or body 'help' to > >> [email protected] > >> > >> You can reach the person managing the list at > >> [email protected] > >> > >> When replying, please edit your Subject line so it is more specific > >> than "Re: Contents of Tech digest..." > >> > >> > >> Today's Topics: > >> > >> 1. Open secure wireless (Mitar) > >> > >> > >> ---------------------------------------------------------------------- > >> > >> Message: 1 > >> Date: Wed, 17 Jun 2015 04:33:16 -0700 > >> From: Mitar <[email protected]> > >> To: [email protected] > >> Subject: [OpenWireless Tech] Open secure wireless > >> Message-ID: > >> < > caklmikp830_xkz2aaiw0wpd7faos+ozgug46sobc1fg8jhg...@mail.gmail.com> > >> Content-Type: text/plain; charset=UTF-8 > >> > >> Hi! > >> > >> Reading this old post: > >> > >> https://www.eff.org/deeplinks/2011/04/open-wireless-movement > >> > >> I wanted to point some research done on this some time ago: > >> > >> http://www.riosec.com/articles/Open-Secure-Wireless > >> > http://www.riosec.com/articles/Open-Secure-Wireless/Open-Secure-Wireless.pdf > >> > >> And also some progress: > >> > >> http://www.riosec.com/articles/open-secure-wireless-20 > >> > >> If you are not doing that already, I think EFF should get on board of > >> supporting those changes to the standard. > >> > >> (BTW, originally, as presented in 1.0 paper, WiFi standard does allow > >> open and secure connections, just no operating system really > >> implements it because they all first prompt for the password, before > >> trying to connect to the encrypted WiFi network to figure out the > >> password is really required.) > >> > >> > >> Mitar > >> > > > > -- > > Warm regards, hartelijke groet, > > > > Diderik van Wingerden > > +31621639148 > > http://www.think-innovation.com/ > > > > "Do what is right." > > > > _______________________________________________ > > Tech mailing list > > [email protected] > > https://srv1.openwireless.org/mailman/listinfo/tech > _______________________________________________ > Tech mailing list > [email protected] > https://srv1.openwireless.org/mailman/listinfo/tech >
_______________________________________________ Tech mailing list [email protected] https://srv1.openwireless.org/mailman/listinfo/tech
