Securing Your Wireless Network
Novell Cool Solutions: Feature
By Karl Reischl
Digg This -
Posted: 9 May 2002
You can't get on our wireless network unless your MAC address is authenticated to a "user ID" object (that matches your MAC address) in our eDirectory. So if you aren't in eDirectory, you aren't getting on our network.
This assumes that you already have a working configuration of RADIUS.
While it is improving, the joke you hear often is "wireless security" is a contradiction in terms. While trying to figure out what the best security options are for our wireless network, I thought we should first focus on gaining basic access to the wireless network.
I did some research and with a firmware upgrade, our wireless access points were able to authenticate the wireless device using either MAC via RADIUS or 802.1X. Since we are nowhere near ready for 802.1X, I decided to work with the MAC. And since it used RADIUS I investigated how to get this security scheme work with eDirectory.
Setting up the access point was similar to any other RADIUS device. I entered in the IP addresses of the primary and secondary RADIUS servers, what ports they are using and the shared secret key.
The access point used the xx-xx-xx-xx-xx-xx format for the user ID and has the option of not requiring a password -- or if this goes against your policies, it can use a hard coded (within the access point) predefined password for all user IDs.
A OU was created to hold all of the user IDs for this and I added that OU to the USER NAME RESOLUTION tab of the DIAL ACCESS SYSTEM RADIUS object.
The next step was to create the users in the NDS tree. It's a standard "user" type object without any templates. The "login name" field was the xx-xx-xx-xx-xx-xx format of the MAC address. I used the last name field to denote more information about the wireless device - like its asset tag, if it was school owned equipment, or a student name/ID, etc.
The next step is to add the DIAL ACCESS SYSTEM RADIUS object to the user ID in the DIAL ACCESS SERVICES tab. You do not need to add any DIAL ACCESS PROFILES -- just the DAS. Press OK and that's it.
On the server console you will see the IP address of access point followed by the MAC address of the wireless device trying to or gaining access to the network.
Below are some screen shots of the RADIUS console:
Figure 1 -- RADIUS console screen when a MAC address has *not* been entered into eDirectory.
Figure 2 -- RADIUS console screen when the MAC address has been authenticated to eDirectory.
The wireless device will always get a link to the access point. However, the access point will not process any traffic to the wireless device if the wireless device does not get authenticated.
I understand that in large education institutions it might not be practical to maintain this list. In this case, maybe using MAC authentication only to non-student devices (i.e. administrative offices/hallways) and having the student access point on its own VLAN can be considered. In either case, this option provides a valuable use of eDirectory.
Karl Reischl is a Network Analyst at Moraine Park Technical College. If you have questions about Karl's solution, you can reach him at firstname.lastname@example.org
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com