Good tips, thanks. My other RADIUS question: We can have one server to authenticate everybody, right? Even though they're on different subnets?
On 4/3/07, Tim Fournet <tfournet at tfour.net> wrote: > The problem with a single key for everyone is that once it's known to > someone you don't want to know it (disgruntled ex-employee, for example) > you have to change it for everyone. This results in a lot of angry calls. > > One means of mitigating brute-force password attacks for your 4 number > passwords would be to enforce a lockout after n number of failed tries. > It may not be perfect, but I understand you have to work with the (bad) > policies you have. I won't get into all the better methods of > authenticating your users, since I'm sure you know about them but the > managers aren't going to agree to anything more difficult for the users. > > If you're running a windows domain, RADIUS is really easy to set up - > Windows Server includes the IAS (Internet Authentication Service) which > is just a RADIUS server. If you've got Linux servers, there are a > handful of free radius servers available on Linux that work well too. > > > > Joe Fruchey wrote: > > OK guys, let me pick your brains... > > > > There is interest in setting up Wi-Fi in our system. Since I've been > > working with it for a while now at home, at others' homes, etc., I get > > to be "Wi-Fi Guy." Why I take on all these responsibilities for such a > > meager salary is beyond me. But I digress... > > > > I've used WPA-PSK for all the devices I've set up. I get a > > 63-character Crazy-Ass? password from https://www.grc.com/passwords to > > eliminate the risk of brute-forcing it. I know about the existence of > > RADIUS, but I'm not very familiar with it, and I'm not entirely sure > > that it would be our ideal solution. > > > > >From what I understand, if I were to go the RADIUS route, I would set > > up a RADIUS server, which would prompt for a login upon connecting. It > > would authenticate that against our domain login server, and either > > allow or deny access based on the provided credentials. Is that pretty > > much it? If so, I don't know if that's such a good idea. We have > > laughable login security. > > > > Everyone's password is restricted to numerals only, and since they > > must be at least four digits, 99.9% of our passwords are exactly four > > digits. There are protections in place that check passwords against > > the personnel database, so you can't use your SSN, DOB, or phone > > number, but anniversaries and loved ones' birthdays are fair game, and > > are often utilized. > > > > We have one WAP set up with WPA-PSK right now. We plan to expand, and > > eventually have one at every site (all 27 of them). We'll use the same > > key for all the routers (we're using routers instead of WAPs because > > we don't use DHCP), and the key will be stored on the relevant users' > > laptops as a text file. > > > > So which method is more secure? (If I've even got the RADIUS idea > > correct...) PSK is susceptible to someone getting the text file, or > > stealing a laptop, which is not unheard of... RADIUS seems susceptible > > to simple password guessing, which could be very easy depending on the > > user (and the villain) > > > > Any input is greatly appreciated. > > > > Thanks, > > > > Joe > > > > _______________________________________________ > > General mailing list > > General at brlug.net > > http://mail.brlug.net/mailman/listinfo/general_brlug.net > > > > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net >
