[NBLUG/talk] WiFi revisited

Coy Thorp C.Thorp at mdl.com
Mon Jun 7 13:43:55 PDT 2004


 

-----Original Message-----
From: Lincoln Peters [mailto:sampln at sbcglobal.net] 
Sent: Monday, June 07, 2004 12:03 PM
To: General NBLUG chatter about anything Linux, answers to questions, etc.
Subject: RE: [NBLUG/talk] WiFi revisited

On Mon, 2004-06-07 at 11:36, Coy Thorp wrote:
> Your most secure Wireless implementation, of your choices, would be 
> WPA w/ Radius.  Pre-shared keys are good, but radius requires a 
> username and a password.  It also depends on what level of WPA you are 
> doing.  WEP w/dynamic keys?  TKIP?  AES?  I recommend either TKIP or 
> AES, as man-in-the-middle attacks on WEP are highly successful, and 
> not too difficult to do.  One other level of authentication is to 
> create certs for your clients and your wireless devices (highly 
> recommended).  You can do this with a local cert server (openSSL works 
> great), or you can pay out the nose for an outside authority.  Your 
> choice. :)

Sounds good, but it raises some additional questions:

1. It looks like I would need to set up an external RADIUS server. 
Looking at the "apt" repository for Debian/unstable, I can see several
different implementations to choose from:
  a. freeradius
  b. radius-cistron
  c. radius-livingston
  d. xtradius
  e. yardradius
Does anyone have experience with any of these RADIUS servers?  Any
recommendations?  Recommended literature?

- I don't have any experience with those packages.  You might google them :)

2. What do I need to do to make a client box running Debian/unstable support
the RADIUS protocol?

- I don't have enough debian experience to help you there, either.

3. The router is capable of using either TKIP or AES; exactly the two
protocols you recommended.  Are there any advantages or disadvantages to
using one rather than the other?

 - In my mind, either one is sufficient.  AES was designed by the NSA, so
there are many paranoid hackers who won't run it, thinking the government
put a back-door in it (which isn't unlikely).  I think it really depends on
what your client will support.  We run TKIP at our organization because
there is slightly broader client driver support for the protocol.

---
Lincoln Peters
<sampln at sbcglobal.net>

To err is human, to forgive is against company policy.


_______________________________________________
talk mailing list
talk at nblug.org
http://nblug.org/cgi-bin/mailman/listinfo/talk




More information about the talk mailing list