[brlug-general] Wireless security (Not specifically Linux-related)
-ray
ray at ops.selu.edu
Tue Apr 3 16:09:31 CDT 2007
On Tue, 3 Apr 2007, Joe Fruchey wrote:
> MAC-based? How is that any better than just filtering the MAC address
> at the router? Anybody could just spoof their MAC address and get in.
It's not, but it does give you another layer of defense. And if you're
using WPA, just getting the list of "approved" MACs that you can spoof is
non-trivial. You'd need the steal the PSK, then decrypt a frame to steal
a MAC, then spoof the MAC. Let's face it, you can get both (PSK and MAC)
from just stealing a laptop. But you're definitely deterring the war
drivers, and keeping Joe users from just emailing the PSK to each other.
Your best bet is WPA with 802.1x/RADIUS. My point was you need 802.1x.
If you're not using PSK, then thats the only other option as far as i
know. Any radius authentication i've seen that is NOT 802.1x
(username/password) is normally mac-based.
ray
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean http://www.r-a-y.org
Systems Engineer Southeastern Louisiana University
IBM Certified Specialist AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
More information about the General
mailing list