[nycbug-talk] wpa cracked

Miles Nordin carton at Ivy.NET
Sun Nov 9 02:27:44 EST 2008 

>>>>> "il" == Isaac Levy <ike at lesmuug.org> writes:

    il>    - DOS problems

it's radio.  encryption won't help with DoS.  There is no such thing
as admission control.  Anyone can broadcast garbage on the band
period.  The only choice you can make is, what will you forward and
what will you ignore?

    il> Plenty of vendor-supplied 'user friendly' softwares on windows
    il> machines try to auto-connect to AP's, based on signal strength
[...]
    il> cafes and apartment buildings, and viola- hosed- with perhaps
    il> zero malicious or trespass intent.

I've seen some AP's that seem like they don't have the CPU power or
NAT table size to handle normal bittorrent, so I don't doubt that you
might have seen a problem with too many associations.  but the answer
is to get an AP that's not a piece of shit and doesn't crash.  auth
isn't needed for that.

    il> are there any IPSEC auth systems out there for wireless access
    il> points?

you just set up plain ipsec behind the AP.  you can use cisco ipsec
which works well, but costs a fair bit on ebay to get at 11g/11a
speeds.  It's complicated to configure but works well.  or else try to
use ipsec-tools racoon or openbsd isakmpd or whatever.  all probably
support XAuth, which is what you need to use ipsec with RADIUS.  You
also need the mode-config extension which they all support.  And you
don't need nat-traversal, which AIUI is still a stupid patch on
FreeBSD, and on all the BSD's it fails to do PMTU-D the way Cisco's
does.

    il> drop Cat6 and end this malarkey,

It's not unusual for companies to run EAP and the wpa-ish L2 auth,
802-dot-somethingorother, even on wired jacks.  logging into a jack
with a username and password, or with an X.509 cert, is supported by
both Mac and ExPee.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20081109/f6588062/attachment.bin>

More information about the talk mailing list