---- Original message ---- >Date: Sun, 1 Oct 2006 20:55:42 +0930 >From: Damon McMahon <[EMAIL PROTECTED]> >Subject: Re: Wireless Auth >To: OpenBSD-misc list <misc@openbsd.org> > >Sam, > >> From: Joe <[EMAIL PROTECTED]> >> Date: 1 October 2006 3:07:24 PM >> To: "Sam Fourman Jr." <[EMAIL PROTECTED]> >> Cc: misc@openbsd.org >> Subject: Re: Wireless Auth >> >> >> Sam Fourman Jr. wrote: >> >>> I am looking for ways to Authenticate Wireless users(Windows Xp , Mac >>> OSX) that connect to a wireless AP (several using OpenBSD's new >>> Roaming in hostapd) running OpenBSD 4.0 >>> the way i understand it if I use authpf that requires a user to >>> maintain a SSH session. >>> is there some reasonably secure solution(for an Exclusively OpenBSD >>> 4.0 on the back end network) that would maybe allow users to login >>> via a web page portal? LDAP RADIUS maybe? >>> and a side note Does anyone know is Trunk(4) supports wireless cards >>> running in hostap mode? >>> example Failover or loadbalance maybe? >>> I am Looking for Suggestions >>> >> >> The best option would be to use IPSEC between the clients and >> OpenBSD and setup PF on the wireless interface to only permit IPSEC >> traffic. >> >> The setup provides strong authentication and encryption. >> >> I don't recommend authpf, since all it does is authenticate. Your >> wireless traffic is not encrypted. The only other way to encrypt >> your traffic would be to use IPSEC or an SSH tunnel (-w option). >> >
in my experience, using IPSEC to secure a wifi network segment is overtly complicating since every service where security really matters should be encrypted in the first place. if someone sniffs a password of mine that goes over HTTP without SSL, that password is a low security one in the first place. i place 0 trust in the idea that traffic is not sifted through once it goes upstream through the ISP's machines. from the perspective of protecting a corporate wifi segment it does make sense, but the added complexity is significant. the more glaring problem, IMO, is that whatever protocol being used to send the password isn't encrypted. does anyone who implements a wifi setup like this with "naive" windows and mac clients have anything to say about the management overhead for such a setup? by management overhead, i mean time spent configuring, fixing, and maintaining such a setup. >Joe's right - I used the following three articles to setup something >similar: > >http://www.openbsd-support.com/jp/en/htm/mgp/pacsec05/index.html >http://www.onlamp.com/pub/a/bsd/2004/10/21/wifi_ipsec.html >http://www2.papamike.ca:8082/tutorials/pub/obsd_ipsec.html > >The first explains how to setup what they call a Secure Wireless >Access Point ("SWAP") for Windows clients using OpenBSD. It gives a >good overview and also provides enough information to figure out how >Windows implements IPsec. > >The second explains how to implement IPsec on FreeBSD which - like >MacOS X - uses racoon(8) and setkey(8) to implement IPsec. > >The third gives a lot of detail on how to implement IPsec on OpenBSD >3.8. I found I needed the examples as it took me a while to really >get how IPsec works. From what I understand IPsec has got a lot >easier to implement on OpenBSD 4.0, so reading all the relevant man >pages - especially ipsec.conf(5), ipsecctl(8), isakmpd(8) and >isakmpd.conf(5) - in the 4.0 release may reveal a simpler >implementation for your requirements. > >I'm currently using OpenBSD 3.9 as a "SWAP" for both MacOS X and >Windows clients. It's certainly not as easy as buying a hardware >wireless access point device and implementing WPA (or worse) but it's >a hell of a lot more satisfying knowing it's all OpenBSD and all open- >source and open-standards. > >Feel free to contact me off-list if you require more assistance. > >Best wishes, >Damon
