Sam,
From: Joe <[EMAIL PROTECTED]>
Date: 1 October 2006 3:07:24 PM
To: "Sam Fourman Jr." <[EMAIL PROTECTED]>
Cc: misc@openbsd.org
Subject: Re: Wireless Auth
Sam Fourman Jr. wrote:
I am looking for ways to Authenticate Wireless users(Windows Xp , Mac
OSX) that connect to a wireless AP (several using OpenBSD's new
Roaming in hostapd) running OpenBSD 4.0
the way i understand it if I use authpf that requires a user to
maintain a SSH session.
is there some reasonably secure solution(for an Exclusively OpenBSD
4.0 on the back end network) that would maybe allow users to login
via a web page portal? LDAP RADIUS maybe?
and a side note Does anyone know is Trunk(4) supports wireless cards
running in hostap mode?
example Failover or loadbalance maybe?
I am Looking for Suggestions
The best option would be to use IPSEC between the clients and
OpenBSD and setup PF on the wireless interface to only permit IPSEC
traffic.
The setup provides strong authentication and encryption.
I don't recommend authpf, since all it does is authenticate. Your
wireless traffic is not encrypted. The only other way to encrypt
your traffic would be to use IPSEC or an SSH tunnel (-w option).
Joe's right - I used the following three articles to setup something
similar:
http://www.openbsd-support.com/jp/en/htm/mgp/pacsec05/index.html
http://www.onlamp.com/pub/a/bsd/2004/10/21/wifi_ipsec.html
http://www2.papamike.ca:8082/tutorials/pub/obsd_ipsec.html
The first explains how to setup what they call a Secure Wireless
Access Point ("SWAP") for Windows clients using OpenBSD. It gives a
good overview and also provides enough information to figure out how
Windows implements IPsec.
The second explains how to implement IPsec on FreeBSD which - like
MacOS X - uses racoon(8) and setkey(8) to implement IPsec.
The third gives a lot of detail on how to implement IPsec on OpenBSD
3.8. I found I needed the examples as it took me a while to really
get how IPsec works. From what I understand IPsec has got a lot
easier to implement on OpenBSD 4.0, so reading all the relevant man
pages - especially ipsec.conf(5), ipsecctl(8), isakmpd(8) and
isakmpd.conf(5) - in the 4.0 release may reveal a simpler
implementation for your requirements.
I'm currently using OpenBSD 3.9 as a "SWAP" for both MacOS X and
Windows clients. It's certainly not as easy as buying a hardware
wireless access point device and implementing WPA (or worse) but it's
a hell of a lot more satisfying knowing it's all OpenBSD and all open-
source and open-standards.
Feel free to contact me off-list if you require more assistance.
Best wishes,
Damon