Re: Wireless Auth

Sun, 01 Oct 2006 04:29:15 -0700 

Sam,


From: Joe <[EMAIL PROTECTED]>
Date: 1 October 2006 3:07:24 PM
To: "Sam Fourman Jr." <[EMAIL PROTECTED]>
Cc: misc@openbsd.org
Subject: Re: Wireless Auth


Sam Fourman Jr. wrote:


I am looking for ways to Authenticate Wireless users(Windows Xp , Mac
OSX) that connect to a wireless AP (several using OpenBSD's new
Roaming in hostapd) running OpenBSD 4.0
the way i understand it if I use authpf that requires a user to
maintain a SSH session.
is there some reasonably secure solution(for an Exclusively OpenBSD
4.0  on the back end network) that would maybe allow users to login
via a web page portal? LDAP RADIUS maybe?
and a side note Does anyone know is Trunk(4) supports wireless cards
running in hostap mode?
example Failover or loadbalance maybe?
I am Looking for Suggestions
The best option would be to use IPSEC between the clients and OpenBSD and setup PF on the wireless interface to only permit IPSEC traffic. 

The setup provides strong authentication and encryption.
I don't recommend authpf, since all it does is authenticate. Your wireless traffic is not encrypted. The only other way to encrypt your traffic would be to use IPSEC or an SSH tunnel (-w option).
Joe's right - I used the following three articles to setup something similar: 

http://www.openbsd-support.com/jp/en/htm/mgp/pacsec05/index.html
http://www.onlamp.com/pub/a/bsd/2004/10/21/wifi_ipsec.html
http://www2.papamike.ca:8082/tutorials/pub/obsd_ipsec.html
The first explains how to setup what they call a Secure Wireless Access Point ("SWAP") for Windows clients using OpenBSD. It gives a good overview and also provides enough information to figure out how Windows implements IPsec.
The second explains how to implement IPsec on FreeBSD which - like MacOS X - uses racoon(8) and setkey(8) to implement IPsec.
The third gives a lot of detail on how to implement IPsec on OpenBSD 3.8. I found I needed the examples as it took me a while to really get how IPsec works. From what I understand IPsec has got a lot easier to implement on OpenBSD 4.0, so reading all the relevant man pages - especially ipsec.conf(5), ipsecctl(8), isakmpd(8) and isakmpd.conf(5) - in the 4.0 release may reveal a simpler implementation for your requirements.
I'm currently using OpenBSD 3.9 as a "SWAP" for both MacOS X and Windows clients. It's certainly not as easy as buying a hardware wireless access point device and implementing WPA (or worse) but it's a hell of a lot more satisfying knowing it's all OpenBSD and all open- source and open-standards. 

Feel free to contact me off-list if you require more assistance.

Best wishes,
Damon

Reply via email to