Mike Joseph on 7 Feb 2016 13:09:10 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Automatically connect to a single wireless network


What your friend wants is very challenging, and it has nothing to do with locking down WiFi settings on the laptop.

There's no mechanism for a wireless AP to authenticate to its clients.  And before someone chimes in that 802.1x allows for known server certificate validation, note that many clients will connect anyway if the same ESSID is presented by an AP offering no network security.

So, the real challenge here is configuring the Linux WiFi client stack to:

1) Connect only to a specific ESSID
2) Require that the given ESSID implements 802.1x authentication, and ensure that the client refuses to associate without it
3) Require that the 802.1x supplicant on the client perform server certificate validation
4) Hardcode the list of valid server certificates for the 802.1x supplicant to trust
5) Hope that there's no way for the AP to allow the connection association to complete even in the face of 802.1x failure

Your big problems will be with #2 and #5, because the protocol isn't really designed for that.  I'm not saying it can't be done on Linux, but at least I'm not sure how (off the top of my head).

Of course, there are plenty of other options for getting around this, like running IPtables, using a VPN tunnel, or a mandatory HTTP proxy.  And most likely the solution would be some combination of those.  I can think of a few designs in my head now that would likely work, with varying degrees of complexity.

But, this is a much harder problem than just locking down network settings.

-MJ

On Feb 7, 2016 12:20 PM, "Eric Lucas" <eric@lucii.org> wrote:
I have a friend with an odd request.

He's trying to get a number of Ubuntu laptops set up and they need to
automatically connect to a specific wireless network - and NO OTHER.    The
network DHCP server has a list of MAC addresses and only responds to those
specific computers.  The user should never have to (or be able to) enter the
key for the network authentication.

The issue here is the users are state prisoners and at least one site close to
the prison has wireless.  Although the prisoners don't have the credentials to
access that network it does not mean that someone else couldn't set up another
wireless for the purpose of allowing certain (paying?) prisoners to get
directly to the Internet.

Any idea how would this be done?  I can envision how manual configuration of
the network and disabling the GUI tools would work for eth0 but I have no idea
how to restrict the wireless access to a single hard-coded network and no
prompt for the password.

He did not specify but I'm guessing he's using a 15.x version of Ubuntu.

Eric

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug