Thread: [Aironet] Re: Contents of Aironet digest, Vol 1 #384 - 1 msg
Status: Inactive
Brought to you by:
breed
From: ASTI S. A. N. <AN...@ay...> - 2001-05-29 00:26:14
|
Alma N. Sison Network & Communications Group Ayala Systems Technology, Inc. Tel No.: 8132494 e-mail : an...@ay... -----Original Message----- From: air...@cs... [mailto:air...@cs...] Sent: Monday, May 28, 2001 9:52 PM To: ai...@en... Subject: Aironet digest, Vol 1 #384 - 1 msg Send Aironet mailing list submissions to ai...@cs... To subscribe or unsubscribe via the World Wide Web, visit http://csl.cse.ucsc.edu/mailman/listinfo/aironet or, via email, send a message with subject or body 'help' to air...@cs... You can reach the person managing the list at air...@cs... When replying, please edit your Subject line so it is more specific than "Re: Contents of Aironet digest..." Today's Topics: 1. Re: Thoughts about managing user access withOUT LEAP (Dustin Goodwin) --__--__-- Message: 1 Date: Sun, 27 May 2001 10:23:11 -0700 (PDT) From: Dustin Goodwin <dus...@ya...> To: ai...@en... Subject: [Aironet] Re: Thoughts about managing user access withOUT LEAP Thanks to the large number of great responses I got on this topic. I want to share some of my additional Programmable MAC addresses. Any MAC based access control system is going to be defeated by cards that support this. The good news is that support for the features is different card to card. May be hard for techie users to figure out and sniffing valid MAC addresses to steal may be difficult. Might be an acceptable risk for my requirements. VPN client software. I thought this was a great idea to use PPTP or IPSEC client to provide access control. Why screw around with WEP when you can great encryption via IPSEC client. But since I plan on providing little or no desktop support this is probably not good for my application. My users will be of varying technical capability. This install needs to be brain dead simple. Also I have no control over what desktop O/S will be used. This might work for situation where there is desktop standardization and/or a help desk available to assist with install. dhcp integration. Another great idea, if you missed this suggestion. It was to program the dhcp server to only give out IP addresses based on MAC address. Then scan the lease file and update ipchains filter with those IP addresses that have been issued. The flaw I see in this scheme is that once the lease has been issued for the ip address and the IP address has been added to ipchains filter that IP address is vulnerable to theft. You could additionally secure this by creating static ARP entries that create permanent relationship between the ip and mac. Actually using dhcp in conjunction with static ARP entries you could skip using ipchains to filter the ip address. Thanks again, - Dustin - --- Dustin Goodwin <dus...@ya...> wrote: > I would like to offer a number of users wlan access > to > my network. But I need to restrict access to only > users that are authorized. I realize I could do this > with SSID and WEP keys but the problem there being > selectively deleting users without making everyone > re-configure there wireless nic each time. Since > LEAP > is not available on most platforms I was considering > the following. > > Since I assume most access points act like normal > bridge, in that each wlan client appears as it owns > unique MAC address. If I setup a device (like a > layer > 3 router) inline between the ap and my network that > can filter on MAC address I could restrict clients > on > per wlan nic basis. > 1. Does this make any sense as poor mans per user > access control scheme? > 2. Do access points act birdge-like in the manner I > describe? > 3. Do any wlan nic's allow user configurable mac > address? > Thanks in advance, > - Dusitn - > > __________________________________________________ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great > prices > http://auctions.yahoo.com/ > __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ --__--__-- _______________________________________________ Aironet mailing list - Ai...@cs... http://csl.cse.ucsc.edu/mailman/listinfo/aironet End of Aironet Digest |