Why simply not use FreeRADIUS or even inspite expensive, radiator ? One of the solutions could be radius configurated communicating with a ldap.
sincero On Sun, 20 Jul 2003 13:29:32 -0400 N407ER <[EMAIL PROTECTED]> wrote: > Hi, folks, > > We're (I use the anonymous "we" here with apologies) in the process of > setting up a Wi-Fi access point here. Bear in mind that we have little > control over client configuration or consistency--personal computers > would be used, with any OS--and don't want to spend a lot of time > providing technical support. > > One of the other groups here went with a product called ReefEdge to > provide Wi-Fi authentication to prevent unauthorized usage; as far as I > can tell from chatting with them, it does pretty much the same as what > we were thinking; however, due to cost, we'd prefer to develop something > in-house or use something open source. > > So the plan I had was this: > > Set up the gateway with a firewall which would by default redirect all > outgoing tcp/80 traffic to some the local machine, which would have a > "sign-in" page. Users authenticate with their username/password, and a > ruleset is temporarily added to the firewall allowing them full outgoing > traffic. When they are done, they log out, deleting the ruleset (or we > time out their connection after a certain amount of inactivity). > > The real question I have is, even if we were to use MAC address matching > instead of IP (iptables has an option in the 2.4 kernel for MAC > matching, as I recall) anyone can grab all the information he needs to > spoof a valid connection from a single captured packet. Now, assuming we > close or timeout connections when the user logs out, he'd have to take > over a connection still in use. There is no guarantee, though, that the > victim client would even notice (nor would we), especially if it is > running something like ZoneAlarm and simply drops, with no ICMP reject, > all unexpected packets. This would mean the attacker could simply pick > up all the responses to his spoofed connections without the victim > noticing. > > So how can you prevent this without using something which would require > client-side support, like VPN? VPN is not much of an option for us, I've > been told that a Mac VPN client costs money, and regardless, we don't > want to have to support user configuration. Do I have to simply hope no > one will be able to hijack a connection which is in use? > > I've seen software which claims to detect attempts to hijack Wi-Fi > networks, but most appear to just detect brute-forcing on the IP > address, etc. Any attacker could merely passively capture a single > packet and bypass this detection in a snap. > > Thanks for any help. > > > --------------------------------------------------------------------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ---------------------------------------------------------------------------- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
