Mike Joseph on 7 Feb 2016 13:35:20 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Automatically connect to a single wireless network |
Nothing about what I wrote had to do with authenticating the clients.
I get what he's asking for, but what I'm saying is that unless the *clients* authenticate the *network* (AP or otherwise), the security vulnerability remains.
And, of course, this ask assumes that the prison staff are able to security control the configuration of the clients.
-MJ
I don't think he wants the WAP to authenticate his clients. He wants to lock down the clients so they don't accidentally use another wireless network.I think this should be doable, remove network manage and stick a wireless config script (iwconfig .... ; dhclient wlan0) in /etc/rc.local or something.Of course if folks have physical access to these systems, they can root them and do what they like.On Sun, Feb 7, 2016 at 4:08 PM, Mike Joseph <mj@doze.net> wrote:What your friend wants is very challenging, and it has nothing to do with locking down WiFi settings on the laptop.
There's no mechanism for a wireless AP to authenticate to its clients. And before someone chimes in that 802.1x allows for known server certificate validation, note that many clients will connect anyway if the same ESSID is presented by an AP offering no network security.
So, the real challenge here is configuring the Linux WiFi client stack to:
1) Connect only to a specific ESSID
2) Require that the given ESSID implements 802.1x authentication, and ensure that the client refuses to associate without it
3) Require that the 802.1x supplicant on the client perform server certificate validation
4) Hardcode the list of valid server certificates for the 802.1x supplicant to trust
5) Hope that there's no way for the AP to allow the connection association to complete even in the face of 802.1x failureYour big problems will be with #2 and #5, because the protocol isn't really designed for that. I'm not saying it can't be done on Linux, but at least I'm not sure how (off the top of my head).
Of course, there are plenty of other options for getting around this, like running IPtables, using a VPN tunnel, or a mandatory HTTP proxy. And most likely the solution would be some combination of those. I can think of a few designs in my head now that would likely work, with varying degrees of complexity.
But, this is a much harder problem than just locking down network settings.
-MJ
On Feb 7, 2016 12:20 PM, "Eric Lucas" <eric@lucii.org> wrote:___________________________________________________________________________I have a friend with an odd request.He's trying to get a number of Ubuntu laptops set up and they need toautomatically connect to a specific wireless network - and NO OTHER. Thenetwork DHCP server has a list of MAC addresses and only responds to thosespecific computers. The user should never have to (or be able to) enter thekey for the network authentication.The issue here is the users are state prisoners and at least one site close tothe prison has wireless. Although the prisoners don't have the credentials toaccess that network it does not mean that someone else couldn't set up anotherwireless for the purpose of allowing certain (paying?) prisoners to getdirectly to the Internet.Any idea how would this be done? I can envision how manual configuration ofthe network and disabling the GUI tools would work for eth0 but I have no ideahow to restrict the wireless access to a single hard-coded network and noprompt for the password.He did not specify but I'm guessing he's using a 15.x version of Ubuntu.Eric
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug