FreeRadius + Mysql + MAC address authentication + linksys WRT54GS

[A.L.M.Buxey at lboro.ac.uk]

Hi,

> * 20 hotspots with a Linksys AP and a modified firmware (OpenWRT) and maybe 
> chilispot.
> * Freeradius server
> * apache2 webserver
> * free-HS (SSID)
> 
> The objective is to have some free hotspots on a certain area and the user, as 
> soon as he chooses free-HS network, will be redirected to a register page. 
> Maybe using a proxy trick or a php redirect.

if you use something like Chilispot then this will do the redirect 

> * We don't have any certificate store to sign our certificate,
> * We don't want people to install certificates

I would get some certificates signed by a low cost known certifier
but make sure that the signature is already in the known windows
list - then they wont have to install one

> Another questions. What type of protocols should we use?
> EAP, PEAP, CHAP, MSCHAP, EAP/TLS, WEP ?
> 
> The most simple for the window's users to access.

ah. once you use one of these wireless encryption methods then
you will have to make sure that the users know all the info in 
advance.  in terms of real security, just use pure un-WEP'd wireless,
make sure the login make is SSL encrpyted - eg AES256 HTTPS
and then only allow secure protocols through the network - oh and
WARN the users that the network is insecure and that passwords
and credit card details should only be typed in when they are visiting
HTTPS secure sites and using IMAPS etc (though most users will
use web-based email on the move). using the basic 'secure' methods
is useless as you would have to notify everyone what the key was (making
the point of the key useless), even if you carefully inform users, WEP,
EAP and PEAP with PSK etc are crackable within a fraction of time -
at which point all those 'secure with WEP etc' password transactions
are readable.  EAP/TLS would mean giving the users certificates before
they could connect to your wireless. how would you do that? via another
wireless network?

alan