On Sat, 09 Mar 2019 17:58:26 +0000, t...@ls83.eclipse.co.uk wrote: > Yes, not only that but I'm hoping that CC#2, by trying to beat the > system, will learn a bit about networking rather than just using > it. :-)
> As someone who hasn't come across RADIUS before, could you explain > how it could help in this situation (i.e. preventing someone from > connecting to the network with an arbitrary IP address)? My experience of RADIUS is limited to being a sometime user of [eduroam][1], which uses it. I don't really know much about how it works, but I'll take the opportunity to improve my understanding by trying to explain it. My understanding is that RADIUS is a protocol for services that provide authentication for one or more different network access mechanisms. So, on its own, RADIUS is not really a solution at all, just part of a solution. In the context of a WiFi network, I imagine RADIUS will most likely be integrated with WPA2, using [EAP][2]. Alternatively, RADIUS could be linked to a web-page-based captive portal. A third option might be to provide WiFi access only to a VPN server or some other portal/proxy/gateway server, which uses RADIUS to authenticate users and then provides access to the network proper. Of these, I don't think the captive portal option will help. By not using WiFi encryption, it leaves the door open for a client to imitate another client to take advantage of its greater privilege. Using the WPA2 option, I believe the authentication occurs before the client device is connected to the network by the access point. I suppose the access point is therefore the arbiter of what kinds of connections are possible, under the instruction of the RADIUS server. (I suppose the access point fulfils the "Network Access Server" role.) So the RADIUS server might, in effect, tell the access point which VLAN to tag an authenticated client's traffic with, for example, or it might tell it which IP addresses the client can use. These are certainly just guesses on my part: the sorts of outcomes that would make sense to me. If the client can be reliably forced into a particular VLAN or a particular IP address by the access point on the basis of the client's authenticated identity, then it is going to be easy for a router/ firewall to control what the client can access and when. The access point can also send the RADIUS server updates about whether the client is still connected, to enable the accounting feature. The RADIUS server could itself have any kind of back-end, potentially integrating with a wider system of user accounts. I'm surprised, but probably shouldn't be, to learn that the [hostapd][3] daemon is not only capable of using a RADIUS server, but also capable of being a RADIUS server itself. > > One 'cheaper' option for authentication would be to just have more > > than one WiFi SSID. > > Yes, that's a possibility, as the Draytek has multiple SSIDs with > scheduling. But fairly quickly the unscheduled SSID passwords will > be compromised. If the compromise is by means of extracting credentials from other devices, then I suppose the same risk could apply to a solution using RADIUS. Patrick [1]: https://www.eduroam.org/ [2]: https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol [3]: https://w1.fi/hostapd/ -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
