Results 1 to 5 of 5

Thread: configuring secure auth for a wireless LAN

  1. #1

    configuring secure auth for a wireless LAN

    I administer a small LAN for my company and right now we have a nice little wireless setup that clients and co-workers can access using a simple WEP key. This is nice and all, but I'm not as concerned about the depth of security here as much as usability. I would prefer to configure this access point to use a Linux firewall set up as a gateway to the LAN.

    The goal is to no longer require users to configure their wireless connection to match my security needs, but instead to redirect their web traffic to a web page that would allow them to authenticate through a RADIUS server. Sort of like what you'd run into if you tried to connect to a hotspot in a coffee shop, except I don't want to charge people for the service. Just make them authenticate.

    Seems like it ought to be a somewhat straightforward configuration to build, but before I dig into my limited knowledge of PHP and try to build it, I thought I'd post here to see if anyone has seen (or uses) an open source version of this kind of mechansim out there that I could use.

    Would also be interested to know the details of such a setup in case I find myself in a hotel room with one of these authenticated wireless APs that might be fun to poke at . . .

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    186
    Apache has a module that does RADIUS authentication, although it is typically used for website authentication. I'm sure it could be adapted to your needs though. Why wouldn't you just use the built in RADIUS client for Windows though? That way a client would need to authenticate for all traffic, not just web-traffic. I guess this might require some user configuration though.

    You can check it out at:
    http://www.freeradius.org/mod_auth_radius/

    If you have access to Jonathan Hassell's RADIUS book it explains the module configuration well in Chapter 7. Let me know if you want me to type up a quick summary if you don't have access to the book.
    \"When you say best friends, it means friends forever\" Brand New
    \"Best friends means I pulled the trigger
    Best friends means you get what you deserve\" Taking Back Sunday
    Visit alastairgrant.ca

  3. #3
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    brichards99, you've mentioned that you are not nearly 'as concerned about the depth of security here as much as usability.'

    'This is nice and all', and I don't want to preach, but as a White hat in Gray hat's clothing (yes, someone called me that recently), I do need to point out that this sounds like another case of security through obscurity. Are these users to be considered as if they are plugged into the company LAN? If so, then you may as well drop a line to the front lobby and add a switch (better yet a hub. Nothing like broadcast traffic.)

    I'm not trying to be mean, but I speak from personal experience...wait...I said White hat before...

    I speak from THEORETICAL INTROSPECTION that these coffee house solutions you speak of are more complex than they appear on the surface if they have ACL's and authentication. At a SANS conference a couple years back, I 'theoretically considered how to' bypassed this access control method with Ethereal and the 5 minutes it took me to learn and install it (no sh!t. My first time with Eth and I was hacking wlan security.) Now it goes a long way to state that they had a sh!tty deployment. They authenticated (plain text) against a web page just as you've mentioned, which add's the MAC to an ACL and thus all traffic is no longer diverted to their web server. Sniff the traffic to and from that Auth page and you have the password. Or simply hijack a MAC that's already in the ACL.

    I guess the point is, you really need to thouroughly evaluate your requirements, then scrutinize your decision OBJECTIVELY (this is challenging to do, even for the best of us...I know I'm guilty here, so are most of the rest of us I'd guess).

    Ok... </soapbox>

    There are also many AP's that come with WPA pre-shared key AND radius authentication supported out of the box.

    Best of luck.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #4
    Zencoder,

    You're absolutely right, particularly in your final comments, about scrutinizing my requirements. The development process I'm using right now however is to find the answer to the question I am having most difficulty with -- how to do the authentication -- and then work backwards from that in a test environment through the things I do know how to do until the entire user-to-LAN system is as secure as I want it.

    I really just wanted to filter out long-winded discussions of the encryption problem and focus on the authentication problem.

    Your comments are very well-taken, and I certainly appreciate a little preaching. After all, this is part of the spirit of AO, isn't it? Educate the problem-solver as well as the problem . . .

    As an aside, part of my reason for exploring this problem on my own time is that I am finding that occasionally users have decided that my little WEP key is too much of a hassle for them to configure on their machines and have therefore taken to yanking cables from innocent desktops and plugging them into their machines anyway. Fortunately, this is a closed location so I know that anyone who does this is legit due to physical limitations, but I would like to take advantage of a little more effort on my part in order to discourage misuse of my LAN on their part.

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by brichards99
    I really just wanted to filter out long-winded discussions of the encryption problem and focus on the authentication problem.
    Oops, kinda blew that one out of the water, didn' I?

    A quick search of sourceforge brought up a few potential projects. Please note the last one is listed as Pre-Alpha. Probably not overly helpful, but you never know.

    http://www.lessnetworks.com/

    http://www.ilesansfil.org/wiki/WiFiDog

    http://wificoffee.sourceforge.net/

    Freeradius and MySQL notes are here http://www.frontios.com/freeradius.html
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •