802.1X and Radius server vs Nocat Project

Jacques Caron Jacques.Caron at IPsector.com
Thu Mar 20 18:50:32 EST 2003


Hi,

NoCatAuth is a good stopgap measure to authenticate users without the need 
for special software (you just need a browser), but it does have a number 
of limitations when compared to 802.1X:
- NoCatAuth does not have any way to prevent IP or MAC address spoofing. 
This means that once a user has successfully authenticated, a malicious 
user can sniff its traffic, spoof the valid MAC and IP addresses, and have 
full access. 802.1X if used with per-session keys will not allow that (the 
malicious user would need to find the per-session key).

- the NoCatAuth gateway gets full cleartext credentials. This means that a 
malicious gateway (either in a roaming context, or a rogue AP+gateway) can 
get the credentials, and then use them. In a non-roaming context the risk 
can be reduced if users actually check the gateway URL and only give their 
credentials in this case (good luck!), but in a roaming context this is not 
possible.

On the other hand, NoCatAuth works with any 802.11 client with a browser, 
while 802.1X support in clients is still far from being ubiquitous (it's 
built into Windows XP, there's a free client for W2K, there's 
xsupplicant/open1x for Unix systems, but all others are commercial). 
Depending on your needs (types of clients, security requirements...), one 
or the other option might be best for you.

Hope that helps,

Jacques.

At 22:16 20/03/2003, Fernando Cabrera wrote:

>Hello!!
>
>I have a wireless card in my Red Hat box running as master mode with the 
>hostap. I want to authenticate the users who connects to my computer. I 
>have heard about 802.1X and Radius server in this mailing list, but i have 
>found other utility to do that. This is the Nocat project 
>http://nocat.net/ . You can see a brief guide in this link 
>http://verma.sfsu.edu/users/wireless/bawug-july-2002.pdf
>
>I have looked the nocat page and i guess it´s very similar to 802.1x, even 
>you can give different kinds of access to your netwok, depending of the 
>privilege of the user. I want to know if you can do that with 802.1x and 
>Radius and if there are any other different between them.
>
>Which one do you recommend me??
>
>Thanks
>
>_______________________________________________
>HostAP mailing list
>HostAP at shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap


-- Jacques Caron, IP Sector Technologies
    Join the discussion on public WLAN open global roaming:
    http://lists.ipsector.com/listinfo/openroaming





More information about the HostAP mailing list