802.1X and Radius server vs Nocat Project
Jacques Caron
Jacques.Caron
Thu Mar 20 15:50:32 PST 2003
Hi,
NoCatAuth is a good stopgap measure to authenticate users without the need
for special software (you just need a browser), but it does have a number
of limitations when compared to 802.1X:
- NoCatAuth does not have any way to prevent IP or MAC address spoofing.
This means that once a user has successfully authenticated, a malicious
user can sniff its traffic, spoof the valid MAC and IP addresses, and have
full access. 802.1X if used with per-session keys will not allow that (the
malicious user would need to find the per-session key).
- the NoCatAuth gateway gets full cleartext credentials. This means that a
malicious gateway (either in a roaming context, or a rogue AP+gateway) can
get the credentials, and then use them. In a non-roaming context the risk
can be reduced if users actually check the gateway URL and only give their
credentials in this case (good luck!), but in a roaming context this is not
possible.
On the other hand, NoCatAuth works with any 802.11 client with a browser,
while 802.1X support in clients is still far from being ubiquitous (it's
built into Windows XP, there's a free client for W2K, there's
xsupplicant/open1x for Unix systems, but all others are commercial).
Depending on your needs (types of clients, security requirements...), one
or the other option might be best for you.
Hope that helps,
Jacques.
At 22:16 20/03/2003, Fernando Cabrera wrote:
>Hello!!
>
>I have a wireless card in my Red Hat box running as master mode with the
>hostap. I want to authenticate the users who connects to my computer. I
>have heard about 802.1X and Radius server in this mailing list, but i have
>found other utility to do that. This is the Nocat project
>http://nocat.net/ . You can see a brief guide in this link
>http://verma.sfsu.edu/users/wireless/bawug-july-2002.pdf
>
>I have looked the nocat page and i guess it?s very similar to 802.1x, even
>you can give different kinds of access to your netwok, depending of the
>privilege of the user. I want to know if you can do that with 802.1x and
>Radius and if there are any other different between them.
>
>Which one do you recommend me??
>
>Thanks
>
>_______________________________________________
>HostAP mailing list
>HostAP at shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap
-- Jacques Caron, IP Sector Technologies
Join the discussion on public WLAN open global roaming:
http://lists.ipsector.com/listinfo/openroaming
More information about the Hostap
mailing list