Re: RADIUS for MAC authentication in WLAN, how doing it?

From: jpd (read_the_sig_at_do.not.spam.it)
Date: 01/03/04 

Date: Sat, 3 Jan 2004 15:50:10 +0000 (UTC)

In article <bspvbv$c74$1@string1.ciencias.uniovi.es>, Igor Sobrado wrote:
[snip]
> Once I finish my doctoral dissertation (very soon, I hope) I will
> try getting a position in some lab (I will have a lot of problems
> getting a position in a Spanish university... curriculum vitae is
> not very important to get a position at our universities). Certainly,
> Bell Labs is the right place to go. One of the best labs for doing
> some serious research.

Provided they want to have you, but that would be a cool place to work,
true. If you're serious about getting there, you might not want to dig
too deep into the local administration mess, though. Having a working
wireless setup is not as important as finishing your dissertation. :-)

[snip: all the internet and still not completely classless]
> Managing address spaces and netmasks should not be difficult!

*snort* Tell that to the people that wrote the software. Especially
if they come from a different networking system or are right out of
college.

Long, long ago the IP world thought in classes. Even as recently as
mid last year someone in cubfm had to show off his knowledge of IP
addressing -- but was completely oblivious to the fact that we've been
classless for, whatsit, 10 or so years?

So, whether we like it or not, best to skip over all the .0 and .255
addresses. And for big enough blocks, the loss is no real issue.

[snip: management access methods]
> Fully agreed. First thing I did with my AP-1000 was upgrading its
> firmware. It has a serial cable connected to a machine, but I do
> not use it. The only wrong thing about this access point is that
> it do not supports telnet, but a command-line interface proxy. This
> proxy is not available in source code, only as a GNU/Linux binary.

Ugh. Reason enough to pull a serial cable, I'd say. :-) Then again,
I'm spoiled by having a 48-port serial console solution in the rack.
If you have patch panels throughout the building you can route
serial lines through those, too.

> I tried SNMP, but I do not see the advantages
> of this protocol when managing only one device.

You're thinking of scaling up, no? Besides, lots of management software
and graphing tools can easily use SNMP, so for that it's really useful.
Generally less so for human interaction, though. I'd still want a CLI
for that. Speaking of which, a tool like scli can be fairly useful, too.

[snip: 802.11x issues]

I'm very sorry I haven't had time to dig into it yet, I'll see if I can
do so within a week and get back to you about it.

>>> I proposed buying 802.11b devices from either Lucent (Proxim) or Cisco.
>>> Good ones, but a bit expensive. Now I believe that it would be better
>>> not starting another campus-wide project, as people that assign money
>>> to projects do not know about technical issues.
>>
>> Well, isn't that where you come in, to tell them?
>
> I will try to tell them about this issue. Today, I had a meet with
> the vice-president of the Faculty of Sciences. He believes that I will
> be able to get this network running (indeed... at least using standard
> WEP encryption without authenticating clients!). He feels that if the
> network finally works and have some users, all project members will
> provide us with more funds to buy real APs. I wanted running those
> real APs now, IMHO upgrading the network will be expensive, and we are
> building this network with public funds. We should expend that money
> in the *right* way.

Well, you didn't have convincing documentation ready to pull them over
right away --something which you might not want to have done anyway,
mind you, for political reasons--, and since we're talking almost-
government here, don't expect the money to be spent efficiently at all.
The paper-pushers in your way might make more --and at least cost the
university more-- every day, than the APs cost, and you can't do
anything about that, either.

Your vice-president may well have done you a big favour already. Since
you're so completely out of the standard operations loop you can
actually get things done, but don't push it too hard as it is a touchy
subject for some. You might end up having to hand a working setup over
to the regular operations people, and after that it even might just stop
working after a while. Just hope you're gone by then.

I know this isn't what you were hoping for but as of yet you seem to have
support from the science faculty in spite of the people that should have
done it in the first place. This may very well be why the computer science
department is not supporting you. Build your network gradually and enjoy
while you can. As for the money, well, burning a lot of money, and your
sanity as well, on an inter-department feud is no good to anyone, is it?

[snip]
> Best of all, each user will have its own WEP key. Currently, if someone
> has the (unique) WEP key provided to WLAN users, (s)he will have access
> to all the traffic on that network. Well... I run ssh too, but most
> users not. Using the same WEP key for all users is the worst weakness
> of WEP encryption.

Use ipsec, lay tunnels like with PPPoE and use some VPN tricks, etc.
There are a number of solutions possible. :-)

[snip]
> No, I will not be able to get a paid assignment currently. But
> my University has money to pay other students (even more than
> 1000 EUR/month for managing systems... and they are unable to set up
> something more complex that a Windows XP workstation sometimes!).

Been there, seen that, got the tee shirt. You're on the wrong spot
and don't fit in the administrative structure to actually get money.

 
> Well, this University does not recognise even my research publications
> (an ACM/SIGCOMM, a Computer Communication Review, an Elsevier, two
> workshops in Canada and Mexico, and some minor pubs.) The value of
> those papers is zero because I am physics grad., not a computer
> engineer.

Time to get your papers and go somewhere where you are appreciated.
No sense in trying to pound some sense into them. Unless you're stubborn
enough and like that sort of battle. Don't make their loss your loss.

> But it is not a problem for me... I am only worried about the fact
> that there is not research in Spain. And I will finish my Ph.D.
> studies very soon. I do not want to spend my life selling personal
> computers here! :-(

There's more nice places. If you want to live in spain again, see if
you can get enough reputation to get your government to sponsor you
and maybe a few others in a spanish research institute. But those
are all long-term dreams.

> Our proposal is building a fast wireless network (802.11g, with speeds
> up to 100 Mbps using a non standard US Robotics extension to 45 Mbps
> 802.11g, called 802.11g+).

I'm not sure if you should do that, especially if you're not supplying
the network cards also. Better stick to standards even if they're slower.
That way you can easily replace access points with a different brand
should USR cease to exist or just cease to produce 802.11g+ APs.
On top of that, 802.11g+ uses a disproportional amount of bandwidth in
the free band that isn't big to begin with. You'll run out of free
channels real fast, which means that you can't get your entire building
covered well enough for full bandwidth. The higher the datarate the
higher the spectrum consumption but also the shorter the usable range.

Besides, if you have a few public 100Mbit lines (perhaps with 802.1x?)
near the access point, you use those if you need to transfer a lot of
data, otherwise you can use the wireless. Even 1mbit is plenty for
reading email.

> All those APs (15 of them) will be directly
> connected to the networks in the buildings, we have a speed of 2 Gbps
> between buildings, and a speed of 10 Gbps between campuses (very nice
> for sharing computer worms...). The idea was running a small NetBSD
> PC (a PS/ValuePoint) as RADIUS authenticator for the NASes. Each

I don't know what that is, hardware wise. If you run, say, your 15 APs
on 11mbit max (which is theoretical), you get a theoretical max of 165
mbit. More likely your peak max will be at about 100 mbit which a decent
if not overly recent peecee can handle with two quality 100mbit NICs.
Four ports, FastEtherChannel bonded in pairs if you want to be sure.
GigE NICs are also nice but not necessairy.

> AP supports NAT and DHCP. I supposed that assigning addresses in an
> address space that do not overlaps with the address spaces in other
> APs will solve the problem of assigning the same address to more than
> one device and will help roaming. But moving between cells is not
> possible. Proxy DHCP is not supported too.

Using the things in bridge mode should help there. You would want to
use a vlan to keep the bridged traffic separate from the regular traffic.

[snip]
> I do not feel that I will be able to contribute with a high quality
> code for 802.1x authentication. There is a lot of people with more
> knowledge on this proposal than me...

You can contribute code, and it is up to the NetBSD people to decide
if yours is good enough. Making sure it is up to your standards at least
should help though. :-)

[snip]
> And currently those APs hang if we play with the management
> front-end (sometimes those APs hang even if we are not managing them,
> but it is less frequent).

Reason enough to ditch them, or at the very least get USR to fix that.
Hanging admin interfaces are completely unacceptable for production use. 

-- 
  j p d (at) d s b (dot) t u d e l f t (dot) n l .

Relevant Pages

  • Re: RADIUS for MAC authentication in WLAN, how doing it?
    ... but the concepts of TCP/IP internetworking are easy to ... We have all the permissions to run this network, ... > will have access to all the APs in the campus. ...
    (comp.unix.bsd.netbsd.misc)
  • Re: RADIUS for MAC authentication in WLAN, how doing it?
    ... high-quality access points building that network was not difficult) ... the DHCP server for the LAN side of the APs. ... I got the support of the presidents ... Now, they are NOT authorized to run that wireless network, their ...
    (comp.unix.bsd.netbsd.misc)
  • Re: RADIUS for MAC authentication in WLAN, how doing it?
    ... >> hours, it is not an issue with one or two APs, it happens with ... >> considered a network address). ... some APs and get authentication from a shared RADIUS server. ... I like dynamic WEP keys (a very robust protection scheme, ...
    (comp.unix.bsd.netbsd.misc)
  • Re: Wi-Fi deployment in computer conference
    ... computer conference. ... If it's a trade show network, where you often don't have access to the ... anything about IP addresses except for configuration). ... here is that these APs may interfere with ours. ...
    (alt.internet.wireless)
  • Re: If I Disappear For Awhile...
    ... network knew his political views and they hired him no only once they ... If people liked liberalism then Air ... There is no reason to assume that because Bush is the worst ... If a show loses money and would make a profit if it had more ratings ...
    (rec.sport.football.college)