What's new

Wireless client access: Alternatives to hard configured password?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

zjohnr

Regular Contributor
As I've mentioned in some posts on other topics, I've installed a TrendNet TEW-637AP access point on the small (~20 PCs) Windows Server 2003 based LAN network of a non-profit I volunteer at. Currently it is configured to 802.11g only with WPA2/AES using a 63 char hex password. (There's a bug in the 637AP's firmware which prevents it from accepting a 64 char password. :rolleyes:)

After I installed it and sent out an email letting the staff know it was there, it was promptly ... ignored. I sort of expected that. :)

But at a "board meeting" last week someone noticed their PC had found a wireless net in the building. Of course, they couldn't connect to it because I'm (intentionally) the only one with access to the password at the moment. But they wanted to find out how they could get access to the Internet.

So I expect I'm going to now get requests for wireless access. My problem is deciding on a "good" way to enable this access.

I think I would prefer to use RADIUS rather than to start handing out a hard configured password. To me, a fixed wireless access password only makes sense in the context of a home network. In a business, even an extremely small non-profit business, you could quickly run into password control issues. I'd rather avoid this, if possible.

However, I'm not sure that it is possible to do it another way. While I'm familiar with the principles behind RADIUS, I've never actually set up access to a wireless net using it and I'm not sure what is and is not possible in that context.

Is it possible to use RADIUS to authenticate a wireless client running one of the "Home" flavors of Windows XP/Vista? Would the PC need to have both a Windows logon userid and password?

An additional, lower priority question in the back of my mind is if there is some way to configure the network so that (some) wireless clients are only given access to the WAN/Internet. In other words, a way to prevent a wireless client from accessing part/all of the local LAN the access point is connected to?

-irrational john
 
FWIW, two companies ago, my work place had WEP with the hex passcode written on a whiteboard marked "do not erase". At the time, I was running WPA2-PSK with a random 63-character password at home.
 
Tell me about it ...

FWIW, two companies ago, my work place had WEP with the hex passcode written on a whiteboard marked "do not erase".

I've never had a good empathetic grasp on why computer/network security seems like an unnecessary burden to most people. They can seem to easily grasp the need to protect a physical document, but act as though electronic documents need no protection.

When I first started looking at the computers at this non-profit I found that most of them required no password to log in locally (i.e. not on the server's domain) as "Administrator". All you had to do was type Administrator for the userid, leave the password field blank, and hit enter. Bingo. You were "in".

Not that their current choice for the Administrator password is that much better ... except to the extent that any type of a non-null password is better than the empty string.

I've considered changing the Administrator password to something less likely to be on your average virus list of common trivial passwords. But I'm pretty sure if I did I'd immediately become persona non grata. Oh, well.

-irrational john
 
I've never had a good empathetic grasp on why computer/network security seems like an unnecessary burden to most people.
Because it is extremely user-unfriendly and to boot, a burden which increases exponentially with every website and every system you need access too. And then add another degree for every month that you have to forget x number of passwords and remember x new ones.

This is not value-added - it is value destroyer in terms of peoples time and mental effort.

If computer security is THAT vital, then why havent those who feel it important also found a way to make other options to passwords better..

Take biometrics for example - I have a fingerprint reader on my Dell XPS 1330 issued by my company. In theory this makes my life easier in terms of logging on to the laptop.

In reality it is no such thing. I might have to swipe 3-4-5 times slooooooowly just to get the thing to recognise me. And then once in the laptop, guess what - the biometric verification is no use!! I still need another password to get into Outlook. And then to log into the online timesheet application to register my hours I need yet another password - even when acessing from the work LAN. And that password has to be chanegd monthly. For a web page that has only timesheet entry. Talk about overkill......

Is that pain-in-the-butt biometric verification helpful in getting into any of those systems? No.

I mean if you needed one key to get into your car, another for the ignition, another for the radio and yet another for the glove comparment and even one for the AC system. And you had to change each of those keys monthly.....then you have an analogy to what users go through with passwords on computer systems.

In truth this is primitive and poorly executed. Considering that computer companies spend millions if not billions on things like process engineering and "lean methodology" is a crying shame that they perpetrate things like this on users. An utter disgrace.

Sorry for the rant, but its just true...
 
Thank you very much!

If you're running Win2003 Server already just use Internet Authentication Service (IAS) and PEAP.

k

Thanks. I'll check out that article.

For the future reference of anyone else who might be interested, it looks like the last character ... the "x" in ".aspx" ... got omitted in the link you posted. Below is the link I think you intended to post.

Securing Wireless LANs with PEAP and Passwords

-irrational john
 
Not really the situation I am dealing with ...

Because it is extremely user-unfriendly and to boot, a burden which increases exponentially with every website and every system you need access too. And then add another degree for every month that you have to forget x number of passwords and remember x new ones.

While I don't disagree with you in principle, I figured I should point out that the problem/annoyance you refer to is at the opposite end of the spectrum from the situation I referred to.

Computer/network security to me is analogous to the safeguards in a nuclear power plant. Another example that comes to mind are disaster prevention efforts such as the pre-Katrina levees.

The level of security should always be gauged not by how likely it is that you'll run into a problem, but by how severe the damage will be if it does all "hit the fan".

I think it's worth noting that the folks who did not want to "waste" money strengthening the levees around New Orleans were "right" for a long, long time. It was a waste of money ... not to mention the burden the local community would have suffered from the construction ... right up until Katrina hit. Only then did people fully realize what the tradeoffs were.

At this point it seems appropriate to dig out the old cliche that "Only you know how valuable your data is". I tend to pick my passwords based on how much I value the data that the password protects.

But when the "Administrator" password on all your computers ... including your server ... is on the list of Conficker worm passwords, I personally think you're further out on a limb than any business should be. Whether or not I'll get any traction with that argument remains to be seen. The "argument" that it's all "not worth it" is hard to rebut mostly because it's always true ... right up until the very minute it stops being true.

Just my "rambling" two cents worth,

-irrational john
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top