WEP help

Doug Yeager doug
Thu Dec 5 10:11:02 PST 2002


I totally agree with you.
No cat auth really is just an authentication to allow people through the
gateway.  I think it is on a different level than the WEP encryption.

I think I can do exactly what you are saying w/ 802.1x  as when the user
gets to a hotspot they can surf the local lan all they want but when
they try to go to the internet and ftp and such to the internet
nocatauth kicks in.

So I think what you are saying is that the hostap can assign the keys to
the clients based on the mac address of the client card.  That is
perfect!

I can see if hostap has that capability I think.  Anybody out there try
this?!

Now, on the client, how do you set it up so they have this capability?

My linksys card always wants me to put in my own pass phrase or keys.  I
don't want it to ask.  I just want the server to assign me one and me to
accept it like https.

Thx,
doug

-----Original Message-----
From: Jacques Caron [mailto:Jacques.Caron at IPsector.com] 
Sent: Thursday, December 05, 2002 12:28 PM
To: doug at ycomsystems.com
Subject: RE: WEP help

Hi,

I know the driver supports per-client keys, but I don't know offhand how

you would be able to change those keys from userland, probably some form
of 
ioctl (I'm not sure there is a command or iwconfig param that does
this), 
you might want to look into the hostapd source code, since that program
is 
actually doing the 802.1x bit and the WEP key setting. Probably not very

difficult to write a very short program that would take a MAC address
and 
WEP key and give that information to the driver, if there isn't one
already.

Note however that if using nocatauth rather than 802.1x, you end up with

the problem that the user must switch from unencrypted to encrypted
right 
after the authentication is done (you have to start without encryption 
because the AP does not know who it is at first). Also it would not give

you the advantages of dynamic keying and automatic configuration (the
user 
actually needs to enter the key, and will keep the same key for a while,

which leaves WEP open to its known weaknesses). 802.1x on the other hand

would give you automatic configuration and dynamic re-keying.

Do I sound like a big 802.1x advocate? :-)

Jacques.

At 17:58 05/12/2002, Doug Yeager wrote:
>This is very informative Jacques...hope others can benefit also.
>
>
>I'm using nocatauth for these nodes.  It would be very easy for me to
>allow the user to enter their wep password into their member profile in
>the authserver website...this of course would be the same one they
enter
>for their wifi card setup.  At that point when they login it would be
>easy for me to send that password to the ap through the nocat gateway.
>At that point would I be able to use a command to let the hostap know
to
>use that key?
>
>Something like:
>Iwconfig wlan0 key s:users_password on
>?
>
>if so, what about multiple users on that node?  Will the AP remember
the
>different keys and associate them to the correct clients?  Also, if
>there is an open mode, can those users also be able to communicate?
>
>Thx in advance,
>doug
>
>-----Original Message-----
>From: hostap-admin at shmoo.com [mailto:hostap-admin at shmoo.com] On Behalf
>Of Jacques Caron
>Sent: Thursday, December 05, 2002 11:38 AM
>To: doug at ycomsystems.com
>Cc: hostap at shmoo.com
>Subject: Re: WEP help
>
>Hi,
>
>The goal of WEP is (in theory) to make sure that only people who have
>the
>key can decrypt packets sent with that key. In the general case, this
>means
>you have to use so-called "pre-shared keys", i.e. keys that both ends
>(the
>client and the AP) know in advance. And since most APs have only a
>limited
>number of keys they can use, that also means that everybody is using
the
>
>same key, and hence that everybody you give the key to will be able to
>decrypt the trafic from anyone else using the AP.
>
>In the case of a public WLAN, the only way to use WEP is together with
>802.1x. This means:
>- the client must support 802.1x, the appropriate EAP method chosen,
and
>
>dynamic keys
>- the AP must support 802.1x and dynamic keys
>- you must have a RADIUS server with support for EAP and the
appropriate
>
>EAP method chosen and the generation of dynamic keys.
>
>In that case, when a user connects, it authenticates using the relevant
>EAP
>method, and a dynamic WEP key is generated and used just for that
client
>
>(i.e. the AP handles one WEP key for each client). And no-one but the
>client and the AP can decrypt the trafic sent between them using that
>key.
>
>Now, depending on what your exact security goals are, there are quite a
>number of alternatives:
>- do not use WEP at all, and rely on the users having appropriate VPN
>software and/or SSL/TLS-enabled software (and servers to talk to)
>- do not use WEP at all, and provide some other form of encryption for
>the
>customers (PPPoE, PPTP, L2TP, IPsec)
>
>I would personally recommend using WEP with 802.1x, since:
>- 802.1x is built into Windows XP
>- there is now a free 802.1x add-on from MS for W2K
>- versions for other Windows platforms are coming
>- there is a free 802.1x client for Unix systems (open1x aka
>xsupplicant)
>- hostap supports 802.1x
>- there are free (freeRADIUS) and commercial (many) RADIUS servers that
>support 802.1x
>- this will give you security and accounting
>- this scheme is the only one that will enable WLAN roaming in a
secure,
>
>open and transparent fashion
>
>Obviously, you still need a way to allow users with 802.1x or a
>subscription to connect (without WEP) to a limited set of pages to know
>what they need, subscribe, download the necessary software, etc.
>
>Let me know if I can be of any help :-)
>
>Jacques.
>
>At 17:19 05/12/2002, Doug Yeager wrote:
>
> >Im looking for some kind of help guild to explain to me the basic
>concepts
> >of WEP.
> >
> >
> >
> >Right now I have a few wireless nodes serving various coffee shops.
I
> >have not experimented with WEP.
> >
> >
> >
> >What I think it does is this:  allow any client to select to use WEP
>and
> >pick their own key.
> >
> >Then they can talk w/ the AP using that encryption key that they
>picked.
> >
> >
> >
> >But those who just want to talk w/ the AP w/o WEP can do so also.
> >
> >
> >
> >I may be wrong on how WEP is used but that is what I thought it
should
>do.
> >
> >
> >
> >Ive experimented w/ setting my AP in open mode w/ some random key
using
>
> >iwconfig util.
> >
> >
> >
> >Iwconfig wlan0 s:aircom open
> >
> >
> >
> >This doesnt seem to do what I want.  Actually it cuts off
communication
>to
> >my clients.
> >
> >
> >
> >
> >
> >If someone could clear up how wep is used, it may help a bit along
with
>
> >what commands to enable it how it want to use it would be helpful.
> >
> >Or if a document tells me somewhere, that reference would be great.
> >
> >
> >
> >Thx much,
> >
> >doug
>
>
>-- Jacques Caron, IP Sector Technologies
>     Join the discussion on public WLAN open global roaming:
>     http://lists.ipsector.com/listinfo/openroaming
>
>
>_______________________________________________
>HostAP mailing list
>HostAP at shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap


-- Jacques Caron, IP Sector Technologies
    Join the discussion on public WLAN open global roaming:
    http://lists.ipsector.com/listinfo/openroaming








More information about the Hostap mailing list