Hi, In most cases there is no direct authentication of the AP, but many EAP methods allow for mutual authentication between the client and the server. This means that at least there is some form of direct or indirect trust relationship between the AP and the auth server. Also, any decent EAP method will not enable a rogue AP to capture credentials that can be re-used in any way, so the worst case is really that your traffic, once authenticated, gets onto a network where one can easily capture it. But you shouldn't trust any public network anyway, and use SSL/TLS enabled protocols, VPN tunnels back to a home/enterprise gateway, or any other method that maintains end-to-end (or nearly so) protection of your traffic.
One issue that might need some discussion, in a context where enterprise users could use the same credentials when connected to their home network or in a public place, is how the station determines which is the case (and whether a VPN is needed or not, for instance). Not sure anybody has put much thought into this yet. Jacques. At 18:29 08/10/2002, David Rhodes wrote: >..another thought related to recent EAP/LEAP threads - Does anyone know if >any of the related 1x mechanisms will provide AP authentication to the >client? It seems like all the effort has gone into authenticating the >client, not the access point. I realize that most 802.11 equip. was built >for corporate and home environments where the network provider is trusted, >but this is not true in the public space. > I haven't used the 1x solutions to any serious degree yet but it appears >the AP only passes the supplicant info to the RADIUS server. I know the >RADIUS server essentially auth's the AP via the optional SSL/shared key >connection but that doesn't provide the user any first hand information. >Seems like we need some way to put public certs on the AP's similar to what >is done with webservers. With all these stories of pimping starbucks wifi >customers from the street, etc..not to mention AP storms... or am I missing >something? > >thanks, >david > >-- >general wireless list, a bawug thing <http://www.bawug.org/> >[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless -- Jacques Caron, IP Sector Technologies Join the discussion on public WLAN open global roaming: http://lists.ipsector.com/listinfo/openroaming -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
