ndiswrapper + wpa_supplicant

Bryan Kadzban bryan at kadzban.is-a-geek.net
Thu Dec 6 09:20:26 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

George N. White III wrote:
> 2.  Iwlist wlan0 scan often shows multiple "dlink" AP's, but only one
> "dlink" appears in the NetworkManager list.  Even if I give my AP a
> name, an evil perp could use the same name and NM might well use that
> AP. NM needs a way to present multiple AP's with the same name.

If you're worried about so-called "rogue APs", then simply splitting out
each BSS from the ESS in the UI isn't going to help at all.  As Dan said
in response to this, most people don't know (or care) which BSSID
they're connecting to -- but even apart from that, it may be possible to
fake a BSSID.  (I don't know for sure.)

The only secure way to fix this is to either (a) ensure your PSK can't
be guessed, *and* that nobody writes AP firmware/software that will let
people connect even if their PSK is wrong (though I don't know if that's
possible), or (b) use a RADIUS server, ensure your RADIUS shared secret
can't be guessed, use some kind of certificate to authenticate the
server (e.g. PEAP, TTLS, or TLS), and configure the client to only trust
a root certificate that you control.

The last part is the critical one: a rogue AP can probably spoof just
about everything, but not knowledge of the root cert's private key.  And
the unguessable shared secret ensures that the rogue AP can't just use
your existing RADIUS server.  (Although if someone has the ability to
plug into your network already, it's a bit of a moot point -- but whatever.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHWAUpS5vET1Wea5wRA3G0AKC4D4fGQkxnWLI3V8o01wqb5ZacsgCeIY3u
PvTgX13oTU7pWoFx3WVbw8I=
=qeLM
-----END PGP SIGNATURE-----



More information about the HostAP mailing list