doug at aircomwireless.net
Thu Dec 5 11:59:35 EST 2002
This is very informative Jacques...hope others can benefit also.
I'm using nocatauth for these nodes. It would be very easy for me to
allow the user to enter their wep password into their member profile in
the authserver website...this of course would be the same one they enter
for their wifi card setup. At that point when they login it would be
easy for me to send that password to the ap through the nocat gateway.
At that point would I be able to use a command to let the hostap know to
use that key?
Iwconfig wlan0 key s:users_password on
if so, what about multiple users on that node? Will the AP remember the
different keys and associate them to the correct clients? Also, if
there is an open mode, can those users also be able to communicate?
Thx in advance,
From: Jacques Caron [mailto:Jacques.Caron at IPsector.com]
Sent: Thursday, December 05, 2002 11:38 AM
To: doug at ycomsystems.com
Cc: hostap at shmoo.com
Subject: Re: WEP help
The goal of WEP is (in theory) to make sure that only people who have
key can decrypt packets sent with that key. In the general case, this
you have to use so-called "pre-shared keys", i.e. keys that both ends
client and the AP) know in advance. And since most APs have only a
number of keys they can use, that also means that everybody is using the
same key, and hence that everybody you give the key to will be able to
decrypt the trafic from anyone else using the AP.
In the case of a public WLAN, the only way to use WEP is together with
802.1x. This means:
- the client must support 802.1x, the appropriate EAP method chosen, and
- the AP must support 802.1x and dynamic keys
- you must have a RADIUS server with support for EAP and the appropriate
EAP method chosen and the generation of dynamic keys.
In that case, when a user connects, it authenticates using the relevant
method, and a dynamic WEP key is generated and used just for that client
(i.e. the AP handles one WEP key for each client). And no-one but the
client and the AP can decrypt the trafic sent between them using that
Now, depending on what your exact security goals are, there are quite a
number of alternatives:
- do not use WEP at all, and rely on the users having appropriate VPN
software and/or SSL/TLS-enabled software (and servers to talk to)
- do not use WEP at all, and provide some other form of encryption for
customers (PPPoE, PPTP, L2TP, IPsec)
I would personally recommend using WEP with 802.1x, since:
- 802.1x is built into Windows XP
- there is now a free 802.1x add-on from MS for W2K
- versions for other Windows platforms are coming
- there is a free 802.1x client for Unix systems (open1x aka
- hostap supports 802.1x
- there are free (freeRADIUS) and commercial (many) RADIUS servers that
- this will give you security and accounting
- this scheme is the only one that will enable WLAN roaming in a secure,
open and transparent fashion
Obviously, you still need a way to allow users with 802.1x or a
subscription to connect (without WEP) to a limited set of pages to know
what they need, subscribe, download the necessary software, etc.
Let me know if I can be of any help :-)
At 17:19 05/12/2002, Doug Yeager wrote:
>Im looking for some kind of help guild to explain to me the basic
>Right now I have a few wireless nodes serving various coffee shops. I
>have not experimented with WEP.
>What I think it does is this: allow any client to select to use WEP
>pick their own key.
>Then they can talk w/ the AP using that encryption key that they
>But those who just want to talk w/ the AP w/o WEP can do so also.
>I may be wrong on how WEP is used but that is what I thought it should
>Ive experimented w/ setting my AP in open mode w/ some random key using
>Iwconfig wlan0 s:aircom open
>This doesnt seem to do what I want. Actually it cuts off communication
>If someone could clear up how wep is used, it may help a bit along with
>what commands to enable it how it want to use it would be helpful.
>Or if a document tells me somewhere, that reference would be great.
-- Jacques Caron, IP Sector Technologies
Join the discussion on public WLAN open global roaming:
More information about the HostAP