[brlug-general] Wireless security (Not specifically Linux-related)

Tim Fournet tfournet at tfour.net
Tue Apr 3 09:13:56 CDT 2007 

The problem with a single key for everyone is that once it's known to 
someone you don't want to know it (disgruntled ex-employee, for example) 
you have to change it for everyone. This results in a lot of angry calls.

One means of mitigating brute-force password attacks for your 4 number 
passwords would be to enforce a lockout after n number of failed tries. 
It may not be perfect, but I understand you have to work with the (bad) 
policies you have. I won't get into all the better methods of 
authenticating your users, since I'm sure you know about them but the 
managers aren't going to agree to anything more difficult for the users.

If you're running a windows domain, RADIUS is really easy to set up - 
Windows Server includes the IAS (Internet Authentication Service) which 
is just a RADIUS server. If you've got Linux servers, there are a 
handful of free radius servers available on Linux that work well too.



Joe Fruchey wrote:
> OK guys, let me pick your brains...
>
> There is interest in setting up Wi-Fi in our system. Since I've been
> working with it for a while now at home, at others' homes, etc., I get
> to be "Wi-Fi Guy." Why I take on all these responsibilities for such a
> meager salary is beyond me. But I digress...
>
> I've used WPA-PSK for all the devices I've set up. I get a
> 63-character Crazy-Ass™ password from https://www.grc.com/passwords to
> eliminate the risk of brute-forcing it. I know about the existence of
> RADIUS, but I'm not very familiar with it, and I'm not entirely sure
> that it would be our ideal solution.
>
> >From what I understand, if I were to go the RADIUS route, I would set
> up a RADIUS server, which would prompt for a login upon connecting. It
> would authenticate that against our domain login server, and either
> allow or deny access based on the provided credentials. Is that pretty
> much it? If so, I don't know if that's such a good idea. We have
> laughable login security.
>
> Everyone's password is restricted to numerals only, and since they
> must be at least four digits, 99.9% of our passwords are exactly four
> digits. There are protections in place that check passwords against
> the personnel database, so you can't use your SSN, DOB, or phone
> number, but anniversaries and loved ones' birthdays are fair game, and
> are often utilized.
>
> We have one WAP set up with WPA-PSK right now. We plan to expand, and
> eventually have one at every site (all 27 of them). We'll use the same
> key for all the routers (we're using routers instead of WAPs because
> we don't use DHCP), and the key will be stored on the relevant users'
> laptops as a text file.
>
> So which method is more secure? (If I've even got the RADIUS idea
> correct...) PSK is susceptible to someone getting the text file, or
> stealing a laptop, which is not unheard of... RADIUS seems susceptible
> to simple password guessing, which could be very easy depending on the
> user (and the villain)
>
> Any input is greatly appreciated.
>
> Thanks,
>
> Joe
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>

More information about the General mailing list