authpf and a decent ruleset. use a central box and tunnel it back.
redirect all unauthenticated http traffic to a website showing them what to do to get authenticted. see http://www.ualberta.ca/CNS/wireless/ for a description of what we use here. * Johan P. Lindstrvm <[EMAIL PROTECTED]> [2005-07-16 10:48]: > Thanks for all the replies, I see now that I should explain myself further. > The scenario I am thinking of is when you run a public WiFi access point at > let's say a campus with many new visitors from different organisations and > you don't want to start messing around with WAP, WEP, IPSec, PPP or L2TP, > having staff/manuals to help visitors setting up tunnels on their Windows XP > / 2000 laptops is just not feasible. I am after a zero configuration > solution for just the HTTP traffic, and if the sites browsed does not > support https then there is little I can do on my end. > > > On 7/15/05, Nick Holland <[EMAIL PROTECTED]> wrote: > > > > On Fri, Jul 15, 2005 at 06:03:01PM +0200, Johan P. Lindstrvm wrote: > > ... > > > I'm not too familiar with the inner workings of the needed technologies > > > (sometimes a pro, often a con) but what if one would use a https proxy, > > like > > > say squid with SSL/TLS support, to obfuscate the http traffic leaving > > your > > > laptop over the WiFi LAN to your local OpenBSD box that runs the proxy, > > that > > > would then with some magic serve you the pages. So that http traffic > > could > > > not be intercepted on the open WiFi network. > > ... > > > > Before you worry about this too much... > > > > IF you are worried about people packet sniffing your wireless > > connection, you should probably be running some kind of encryption on > > the traffic already, wireless or not. What's the point of encrypting > > from your laptop to the firewall, if it is then sent plain-text to the > > remote end over the common cable that many of your neighbors are also > > attached to. > > > > By this point in time, any communications over the internet which should > > not be sniffed should be encrypted end-to-end. > > > > That was a specific answer to a specific question. > > the above reply is not meant to imply wireless security issues "don't > > matter". IF the question is, "How do I keep people out of my wireless > > network", or "how do I keep them from sniffing internal traffic in my > > network", my answer would be very different...but that wasn't the > > question. > > > > Nick. > -- Bob Beck Computing and Network Services [EMAIL PROTECTED] University of Alberta True Evil hides its real intentions in its street address.