Chris

From what I gather, you're looking for accountability. Bearing in mind =
=20
MAC addresses can be spoofed (and IP addresses are likely to be dynamic),=
=20
how do you intend to identify the users for accounting purposes? They lo=
g =20
in, sure, but then what? I think the problem is that once in there is no=
=20
real difference between any of the users.

I would suggest that you need a different crypto key for each user. Then=
, =20
only if the keys are compromised are you going to end up not knowing who =
=20
did what. I would suggest IPSec as a suitable multi-user multi-key =20
technology. Users would need to register in person (you don't want those=
=20
keys transmitted in clear over the air do you?) and be issued with a =20
strong PSK or a certificate, depending on the config.

I would certainly recommend you read the NTA-Monitor paper on ISAKMP if =20
you do go this way.

Kev

> At my university, the computer science department would like to offer
> wireless access to computer science students, but would like the
> access to not be anonymous. Current problems with unrestricted access
> to the internet are obvious, anonymous kids downloading porn, movies,
> mp3s, etc, and as the university allowed this to happen, they could be
> held liable.
>
> enforcing a logon policy would help limit the university's liability
> in said situations.
>
> ideally, we would like to implement a system in which the user will
> connect to un-encrypted wireless, but any attempts to get out will be
> redirected to the authentication page. Once the user logs in, they
> will be given the WEP key of the day, and then they will have
> unrestricted access.
>
> I'm investigating the usage of Linksys WRT45G routers, with a modified
> firmware, but I have no actual experience with this. I would like to
> look into other methods of doing this, as well, such as Perfigo (which
> has now been acquired by Cisco)...
>
> If you have any suggestions for hardware, or existing documentation
> floating on the net about how to achieve this sort of setup, please
> let me know.
>
> Chris
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/li...rewall-wizards
>
>




--=20
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Cheltenham) Ltd

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards