At 23:12 10/02/2003, Mark Malewski wrote:
Microsoft said at some point they would provide an add-on for earlier Windows versions like they did for W2K. Don't know what the status of that is, though. But if you're interesting in writing an 802.1x client for those platforms, you're more than welcome :-)Yes, 802.1x is a great idea, but it's hard to find Free clients (for Windows 95/98 users)
The RADIUS part I have no problem with. The captive portal, even though it's a good stopgap measure, is not enough in the long term. It does not prevent IP/MAC address spoofing/connection hijacking (so allows someone to use somebody else's connection to send traffic, acting as that user). And in a global roaming environment (which I believe is necessary, and which you mention below), there is the use that the credentials are available in the clear to the gateway, which allows credentials theft by rogue or malevolent APs.Why not go with some form of web-based captive portal (NoCat), combined with a FreeRADIUS authentication RADIUS server? (like we're currently using)
802.1x, on the other hand, combined with a decent EAP method, will provide per-user encryption of the connection between the AP and the client (so no IP/MAC address spoofing is possible), and secure end-to-end transmission of the credentials (between the user and his/her home authentication server).
Better yet, use the NAI format (i.e. user@domain, with domain being a real DNS domain for unicity), and use the domain part to find the home authentication server, possibly via a chain of authentication servers. Check out http://www.ietf.org/internet-drafts/draft-caron-dns-based-roaming-00.txt for instance (quite surprised it's still on the IETF server, it should have expired by now). It's definitely not perfect, but it's a starting point. Any comments welcome on the openroaming list (http://lists.ipsector.com/listinfo/openroaming). It's been pretty dormant until now and I have been way to busy on other projects over the last few months to revive it, but discussion is welcome.If this is something you'd be interested in working together on, I'd be more than happy to help/share ideas. We're currently working on a free "Global" authentication server, where communities would each run a copy of the software, and it would allow users to roam freely between communities (with one login and one password). The user databases would be "shared" between communities.
Jacques.
-- Jacques Caron, IP Sector Technologies
Join the discussion on public WLAN open global roaming:
http://lists.ipsector.com/listinfo/openroaming
--
general wireless list, a bawug thing <http://www.bawug.org/>
[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
