Jacques.Caron at IPsector.com
Tue Dec 24 20:58:20 EST 2002
At 22:31 24/12/2002, Sergio M. Ammirata wrote:
>I am not suggesting that we do a proprietary key exchanging mechanism. I
>am suggesting that hostapd be enhanced to do what the radius server does
>as far as key rotation. Perhaps starting with a random key for each
>client and keeping track of the key changes per client.
Well then you mean having a RADIUS server built-in :-) Install freeRADIUS
on the same box and off you go. I don't think putting this functionality in
hostapd itself would be a good thing, you would need to implement (again)
the EAP methods, when you could just use a RADIUS server which is really
not that hard to set up.
And even if the keys are random (they can be), you *need* to have a master
session key that has been derived independently by the client and server
sides of the EAP method based on the credentials (which btw limits the use
to EAP methods that can actually do that, like EAP TLS, EAP SRP, but not
EAP MD5 or EAP OTP). And this implies having a credentials database on the
server side, so putting all this in hostapd would make it a lot bigger
without much gain if compared to separate hostapd / RADIUS servers on the
same box (and less flexibility etc.).
> > The big problem with MAC addresses is that they are so easy to change
> > it doesn't even qualify as a security feature, and certainly not for a
> > large-scale setup where you need/use a central auth server.
>I agree that this layer of security is easily hackable. But why discard
>it? It will detour at least the roaming users that are not supposed to
>link to your network.
If it is used as a first step auth (e.g. at association time, before moving
on to 802.1X for known MAC addresses), it could indeed be a good idea. But
there might be timing issues with that, I'm not sure a round-trip to a
possibly remote RADIUS server would be possible within the time allowed for
the association (but I'm wild guessing here and too lazy to go check the
spec right now).
BTW, Merry Christmas to everybody!
-- Jacques Caron, IP Sector Technologies
Join the discussion on public WLAN open global roaming:
More information about the HostAP