- anybody who sniffs the traffic can find the MAC and/or IP address of a "valid" user and use it afterwards (or even at the same time, depending on the type of traffic)
- it requires that the first thing you do is actually use a browser, and keep it open for periodic reauth
- it is not compatible with authentication methods other than login/password (e.g. TLS, or SIM, or AKA...)
- there are security issues (credentials theft by rogue APs) in a roaming environment.
For all these reasons, you'd be better off with 802.1X and dynamic WEP keys. Not perfect, but better:
- without the key you cannot send or receive any traffic, so you cannot act like a legitimate user
- 802.1X implementations are usually daemons or services which run all the time
- it supports all sorts of authentication methods
- since the authentication happens end-to-end, if you use an appropriate method, nobody in the middle can capture re-usable credentials.
On the other hand, NoCatAuth is pretty simple to set up once you have a Linux box around (or so I hear, I haven't really tried myself), and only requires a browser on the clients. 802.1X, on the other hand, requires an AP that supports it (Cisco, Orinoco and a bunch of others do, as well as the latest Linux hostap version) and a client with 802.1X support (Windows XP, other Windows versions and MacOS with Meetinghouse Datacoms or Funk software, Unix systems with open1x...).
Jacques.
At 21:29 30/10/2002, Stefano Y wrote:
Hello All, I like to learn on setting a server that has capable of Port_based Authentication.Per say, the AP has WEP key disabled. all users can obtain IP addresses and can ping/accessing to each other by just register to an AP-SSID, but they can not access to the Internet (any port) , unless: When they try to any URL via IE browser then it will pops up the logon, after entering UserID and PW then they can access to any port to Internet. What should I need on setting this up: HW and Software, server, Win2K or Linux? Thanks, Stefano Y __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
-- Jacques Caron, IP Sector Technologies Join the discussion on public WLAN open global roaming: http://lists.ipsector.com/listinfo/openroaming -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
