[brlug-general] Wireless security (Not specifically Linux-related)

Tim Fournet tfournet at tfour.net
Tue Apr 3 14:04:21 CDT 2007 

As long as your devices can communicate with your RADIUS server somehow, 
then yes


Joe Fruchey wrote:
> Good tips, thanks.
>
> My other RADIUS question: We can have one server to authenticate
> everybody, right? Even though they're on different subnets?
>
> On 4/3/07, Tim Fournet <tfournet at tfour.net> wrote:
>   
>> The problem with a single key for everyone is that once it's known to
>> someone you don't want to know it (disgruntled ex-employee, for example)
>> you have to change it for everyone. This results in a lot of angry calls.
>>
>> One means of mitigating brute-force password attacks for your 4 number
>> passwords would be to enforce a lockout after n number of failed tries.
>> It may not be perfect, but I understand you have to work with the (bad)
>> policies you have. I won't get into all the better methods of
>> authenticating your users, since I'm sure you know about them but the
>> managers aren't going to agree to anything more difficult for the users.
>>
>> If you're running a windows domain, RADIUS is really easy to set up -
>> Windows Server includes the IAS (Internet Authentication Service) which
>> is just a RADIUS server. If you've got Linux servers, there are a
>> handful of free radius servers available on Linux that work well too.
>>
>>
>>
>> Joe Fruchey wrote:
>>     
>>> OK guys, let me pick your brains...
>>>
>>> There is interest in setting up Wi-Fi in our system. Since I've been
>>> working with it for a while now at home, at others' homes, etc., I get
>>> to be "Wi-Fi Guy." Why I take on all these responsibilities for such a
>>> meager salary is beyond me. But I digress...
>>>
>>> I've used WPA-PSK for all the devices I've set up. I get a
>>> 63-character Crazy-Ass™ password from https://www.grc.com/passwords to
>>> eliminate the risk of brute-forcing it. I know about the existence of
>>> RADIUS, but I'm not very familiar with it, and I'm not entirely sure
>>> that it would be our ideal solution.
>>>
>>> >From what I understand, if I were to go the RADIUS route, I would set
>>> up a RADIUS server, which would prompt for a login upon connecting. It
>>> would authenticate that against our domain login server, and either
>>> allow or deny access based on the provided credentials. Is that pretty
>>> much it? If so, I don't know if that's such a good idea. We have
>>> laughable login security.
>>>
>>> Everyone's password is restricted to numerals only, and since they
>>> must be at least four digits, 99.9% of our passwords are exactly four
>>> digits. There are protections in place that check passwords against
>>> the personnel database, so you can't use your SSN, DOB, or phone
>>> number, but anniversaries and loved ones' birthdays are fair game, and
>>> are often utilized.
>>>
>>> We have one WAP set up with WPA-PSK right now. We plan to expand, and
>>> eventually have one at every site (all 27 of them). We'll use the same
>>> key for all the routers (we're using routers instead of WAPs because
>>> we don't use DHCP), and the key will be stored on the relevant users'
>>> laptops as a text file.
>>>
>>> So which method is more secure? (If I've even got the RADIUS idea
>>> correct...) PSK is susceptible to someone getting the text file, or
>>> stealing a laptop, which is not unheard of... RADIUS seems susceptible
>>> to simple password guessing, which could be very easy depending on the
>>> user (and the villain)
>>>
>>> Any input is greatly appreciated.
>>>
>>> Thanks,
>>>
>>> Joe
>>>
>>> _______________________________________________
>>> General mailing list
>>> General at brlug.net
>>> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>>>
>>>       
>> _______________________________________________
>> General mailing list
>> General at brlug.net
>> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>>
>>     
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/general_brlug.net/attachments/20070403/8f4448d0/attachment.html

More information about the General mailing list