We are attempting to approach this problem from the client end. We, meaning Rappore Technologies and our Shield 1.1 product. See www.rappore.com. The client solution is based on location.
I agree that we shouldn't trust the public network and should implement some form of VPN. Maybe a lightweight VPN or crypt technology would suffice. >From: Jacques Caron <[EMAIL PROTECTED]> >To: "David Rhodes" <[EMAIL PROTECTED]> >CC: <[EMAIL PROTECTED]> >Subject: Re: [BAWUG] AP spoof detection >Date: Tue, 08 Oct 2002 20:10:43 +0200 > >Hi, > >In most cases there is no direct authentication of the AP, but many EAP >methods allow for mutual authentication between the client and the server. >This means that at least there is some form of direct or indirect trust >relationship between the AP and the auth server. Also, any decent EAP >method will not enable a rogue AP to capture credentials that can be >re-used in any way, so the worst case is really that your traffic, once >authenticated, gets onto a network where one can easily capture it. But you >shouldn't trust any public network anyway, and use SSL/TLS enabled >protocols, VPN tunnels back to a home/enterprise gateway, or any other >method that maintains end-to-end (or nearly so) protection of your traffic. > >One issue that might need some discussion, in a context where enterprise >users could use the same credentials when connected to their home network >or in a public place, is how the station determines which is the case (and >whether a VPN is needed or not, for instance). Not sure anybody has put >much thought into this yet. > >Jacques. > >At 18:29 08/10/2002, David Rhodes wrote: >>..another thought related to recent EAP/LEAP threads - Does anyone know if >>any of the related 1x mechanisms will provide AP authentication to the >>client? It seems like all the effort has gone into authenticating the >>client, not the access point. I realize that most 802.11 equip. was built >>for corporate and home environments where the network provider is trusted, >>but this is not true in the public space. >> I haven't used the 1x solutions to any serious degree yet but it appears >>the AP only passes the supplicant info to the RADIUS server. I know the >>RADIUS server essentially auth's the AP via the optional SSL/shared key >>connection but that doesn't provide the user any first hand information. >>Seems like we need some way to put public certs on the AP's similar to >>what >>is done with webservers. With all these stories of pimping starbucks wifi >>customers from the street, etc..not to mention AP storms... or am I >>missing >>something? >> >>thanks, >>david >> >>-- >>general wireless list, a bawug thing <http://www.bawug.org/> >>[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless > > >-- Jacques Caron, IP Sector Technologies > Join the discussion on public WLAN open global roaming: > http://lists.ipsector.com/listinfo/openroaming > >-- >general wireless list, a bawug thing <http://www.bawug.org/> >[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless IntraLink Communications, Inc 170 East Sandpiper Lane Saratoga Springs, UT 84043 Phone: (801) 860-5446 Fax : (801) 766-8538 _________________________________________________________________ Join the world�s largest e-mail service with MSN Hotmail. http://www.hotmail.com -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
