LITTLEBLACKDOG.COM

Stray Dog Joined: 22 May 2003 Posts: 10 Location: UK

Hi Dogs,

I currently have a handfull of wireless AP's at my place of work that are only in place to offer internet access to laptop users, so far the only 'security' for this wireless network is a hidden SSID, private internet class C IP range and the fact that its VLAN'ed off from our business network finding its way out onto the internet via MS ISA Server 2004 ...

I need to keep things as simple as possible for the users thus I would like to turn SSID back on as this is where most people get stuck as they cant 'see' the network and I often have to deal with comments such as 'but I can see the one in Starbucks and dont have to manually add their SSID'

Before I turn the SSID back on I would like to get some form of authentication in place, something like the commercial hotspots / zones where you cant browse any web site or make any internet connections until you've authenticated with a Username / Password on a default web page.

We already have Active Directory with accounts created for all our users, and I would prefer to authenticate against that (again for ease of use on the users part)

RADIUS & 802.1X has got my head in a bit of a spin ... anyone have any solutions they're currently using and found easy to set up and maintain?

Ideally looking for as low cost solution as possible, dont mind bashing away with Linux if required, but would prefer a windows solution as my colleagues will have to support the system when I'm away and none of them have used Linux ... yet ... Rolling Eyes

Many thanks in advance ...

Z

Posted: Tue Aug 29, 2006 12:18 pm Post subject:

What type of routers are you dealing with? In the wireless security option don't you have a Radius Authentication option?

You mention this is a business, but it wouldnt hurt to see if you could upgrade the firmware to DD-WRT which has radius available.

Then you could use AD and and IAS to authenticate.

DD-WRT Help Page wrote:

WPA RADIUS
WPA RADIUS uses an external RADIUS server to perform user authentication. To use WPA RADIUS, enter the IP address of the RADIUS server, the RADIUS Port (default is 1812) and the shared secret from the RADIUS server.

RADIUS
RADIUS utilizes either a RADIUS server for authentication or WEP for data encryption. To utilize RADIUS, enter the IP address of the RADIUS server and its shared secret. Select the desired encryption bit (64 or 128) for WEP and enter either a passphrase or a manual WEP key.

Stray Dog Joined: 22 May 2003 Posts: 10 Location: UK

Hi Extreme,

Most if not all AP's are USR 5453 I'll check to see if we're using the latest firmware, but I'm sure I've seen an 802.1X and possibly a Radius section in the config pages.

The VLAN has been created with HP ProCurve 1Gb switches, I've still not given a great deal of thought as to how I'm going to route the Radius traffic to the business side of the network in order for it to use IAS and AD. I suppose I could do it with a low cost router and lock it down to only allow the Radius traffic?

Its an inherited network so I'm still trying to get my head around what the last guy was trying to achieve!

Cheers

Z

Stray Dog Joined: 22 May 2003 Posts: 10 Location: UK

Doh! ... they're USR 5450's no mention of Radius anywhere ...

Posted: Tue Aug 29, 2006 7:12 pm Post subject: Re: Wireless authentication

benzini00 wrote:
Hi Dogs,

I currently have a handfull of wireless AP's at my place of work that are only in place to offer internet access to laptop users, so far the only 'security' for this wireless network is a hidden SSID, private internet class C IP range and the fact that its VLAN'ed off from our business network finding its way out onto the internet via MS ISA Server 2004 ...

VLAN'ing the WiFI is a good thing, as is the private class C. You really need to reconsider enabling SSID, as Win clients basically broadcast the previously associated AP SSID's anyways, so hiding it does no good...

Quote:
I need to keep things as simple as possible for the users thus I would like to turn SSID back on as this is where most people get stuck as they cant 'see' the network and I often have to deal with comments such as 'but I can see the one in Starbucks and dont have to manually add their SSID'

Bingo... this is the other reason for enabling SSID, and then putting down some seriously hard security. It is possible...

Quote:
Before I turn the SSID back on I would like to get some form of authentication in place, something like the commercial hotspots / zones where you cant browse any web site or make any internet connections until you've authenticated with a Username / Password on a default web page.

If you have a windows domain already in place, you're halfway there. You don't need to do the whole "hotspot" thing, as this will make things harder for the users (on the intra-net side).

Quote:
We already have Active Directory with accounts created for all our users, and I would prefer to authenticate against that (again for ease of use on the users part)

RADIUS & 802.1X has got my head in a bit of a spin ... anyone have any solutions they're currently using and found easy to set up and maintain?

If you have AD already set up, then it is a matter of using 802.1x to authenticate the ports and clients. Much depends on your wireless kit, but it is very possible.

Quote:
Ideally looking for as low cost solution as possible, dont mind bashing away with Linux if required, but would prefer a windows solution as my colleagues will have to support the system when I'm away and none of them have used Linux ... yet ...

Many thanks in advance ...

Z

Check MS Knowledge Base, they've got some excellent articles online, and some tools that can make pre-provisioning and locking down your wireless network. Most likely, you have most of what you need hardware and software-wise, most of the effort now is upgrading the wet-ware, i.e. educating oneself.

iceman