[NCLUG] (offtopic) WLAN wardriving in FC

Mike Loseke mike at verinet.com
Wed Oct 9 08:19:42 MDT 2002


Thus spake Michael Milligan:
> 
> Michael Dwyer wrote:
> > Benson Chow wrote:
> > 
> >> Just curious...  but I guess I should change WEP keys more often.
> > 
> > Don't count on the key too much.
> 
> If your AP supports it, you can enable access controls to only allow certain 
> MAC addresses to associate.  That's been a reasonable way to stop 
> freeloaders for me.
> 
> Of course, that doesn't stop eavesdroppers.  So ditto on the "use encryption 
> at a higher layer".

 I can't reccomend it for home use unless you have money burning a hole
in your pocket (in which case, let me forward you my address) but the EAP
stuff in the Cisco access points works pretty nice. You configure an ACS
(Acces Control Server) on a machine on your NT domain and set your clients
and AP's up with "encrypted only" configs. It works fairly slick. It forces
a valid authentication of your NT credentials (I haven't had a chance to
test this from a linux client yet) against the domain before the client
can associate (in the sense that you can pass packets across it at your
request) and rotates the key every 30 minutes. Runs with multiple 40 or
128-bit keys and you can add multiple ACS points for different domains or
redundancy.

 To bring this back to advocacy land, the ACS software behaves very
strangely when you have multiple ACS servers defined in your AP's and one
of those ACS servers is not responding to the EAP requests. This causes
you to have to reboot the *valid* ACS servers so that your clients can
authenticate (restarting the services doesn't work). Plus the ACS software
(sold seperately) is expensive.

-- 
                  | If you hear a Southerner exclaim, "Hey, y'all,
   Mike Loseke    | watch this!" stay out of his way. These are
 mike at verinet.com | likely the last words he will ever say.



More information about the NCLUG mailing list