"For instance if you're using an LDAP directory to store authentication information, you can easily use SSL to encrypt traffic to and from it."
Really... I would be interested in hearing how? Using OpenLDAP and FreeRADIUS?
Latest wireless headlines from Network World:
Vodafone to resell Dell's netbook
Six common complaints about Apple's iPhone 3G
Latest 802.11 standards: Too little too late?
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
OpenLDAP + FreeRADIUS + SSL/TLS
If you already have a working OpenLDAP and FreeRADIUS setup, but are not using SSL/TLS you can try out using stunnel on both sides of the connection: http://www.stunnel.org/examples/generic_tunnel.html
It's not quite as elegant as using each project's built-in SSL/TLS support, but you can set it up without mucking with your current configuration too much.
Setting up OpenLDAP to support SSL/TLS is documented here:
http://www.openldap.org/faq/data/cache/185.html
The default radiusd.conf supplied with FreeRADIUS also contains
examples for how to setup TLS on the RADIUS server side of the
operation.
Hope that helps. If you have any other questions don't hesitate to send them to wireless-security@nww.com.
--Andrew
OpenLDAP + FreeRADIUS + SSL/TLS
Yes, this solution can greatly improve wireless network security, but if you implement something different from Eap/tls with mutual authentification with previous installed certicate, it could happen that a user "forget" to authenticate the AAA server (freeradius in this case) and mitm attack raises (read mitm as Rouge AP). Keep in mind that even with mutual authentication there's still room for an attack as exaplained in "An initial security analysis of the IEEE802.1x Standard" by Arunesh Mishra and William A. Arbaugh 6 Feb 2002.