Linus Lüssing <linus.luessing@xxxxxxxxx> wrote:
> It's been a while I've last been posting here. But wanted to share a
> small project idea which has been on my mind for quite a while now,
> especially for wireless community mesh networks like Freifunk, which
> I'm now finally able to work on thanks to some nlnet funding:
> https://nlnet.nl/project/OpenHarbors/
> https://www.open-mesh.org/projects/open-mesh/wiki/OpenHarbors
> The idea is to dynamically tunnel WPA frames over IP/L2TP to some
> remote host based on the domain part / realm in the outer, unencrypted
> identity in EAPoL. So basically moving the authenticator away from the
> wireless AP to some remote site chosen by the user:
Radius already does this, and does it better.
And Radius v1.1 over TLS is a significantly better protocol than the NAT44
hostile MD5-authenticated thing of yore. Take a page from eduroam.
L2TP is a disaster, requires IPsec transport mode to be secure.
Just don't.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
