Re: OpenHarbors - Dynamic Tunneling of WPA over IP/L2TP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 ---- On Thu, 20 Jun 2024 04:22:46 +0800  Linus Lüssing  wrote --- 
 > Hi Michael,
 > 
 > Thanks for the feedback.
 > 
 > On Wed, Jun 19, 2024 at 02:32:20PM -0400, Michael Richardson wrote:
 > > Radius already does this, and does it better.
 > > And Radius v1.1 over TLS is a significantly better protocol than the NAT44
 > > hostile MD5-authenticated thing of yore.    Take a page from eduroam.
 > 
 > I don't think that RADIUS does this, this does not work for us with Freifunk.
 > Just like we can't offer eduroam on a Freifunk mesh node / AP
 > right now either:

Just let hostapd choose radius server based on user name, no new protocol needed.

 > 
 > The final RADIUS Accept message from the RADIUS server, no matter
 > if using it with or without TLS, will as the final step of its EAP
 > exchange send the pairwise-master-key to the AP. WPA encryption is between the
 > client/supplicant and the AP/authenticator only. The RADIUS TLS
 > encryption is a separate encryption channel and only between the
 > AP/authenticator and remote RADIUS server. It's not
 > end-to-end-encrypting payload between the client/authenticator and a
 > remote host.
 > 
 > This whole exchange therefore requires the AP/authenticator to be
 > run by a trusted operator. At Freifunk most of our nodes are run
 > by people that do not know each other. The AP/authenticator would
 > be able to Man-in-the-middle attack there.
 > 

EAP-TLS does not need trusted AP, certificate will prevent fake server,
your design require AP side to have CCMP key, it is still the same problem,
any internet traffic will also need to be decrypted before sending to WAN.


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap




[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux