Authentication on an Untrusted Network? 3
PapaZit writes "I'd like to set up a wireless access point to simplify LAN parties and other social geekery. All of these people should have access to the network when I allow it, but not otherwise. The filtering and routing solutions that I've seen are all based on IP addresses (which can easily be faked, changed, or stolen) or WEP (which requires a shared secret and reconfiguration of all systems if the secret has to be changed). Would filtering on MAC addresses work? PPPOE? RADIUS? Does anyone have experience with Linux or BSD tools that do this?"
Encrypted IP tunnels? (Score:1)
I think you have to set up encrypted tunnels, and ignore packets with the wrong data. Kerberos, SSH, SSLeay...there are tools for it, it's a matter of how large you want the shared secrets (keys/passwords) to be. And you only need to allow the Visitor passwords when you have guests.
kerberos of course. (Score:2)
PKI is what you're after... (Score:3)
Fundamentally, the problem you describe is this:
How do I trust a user is who they say they are?
If you can count on that, then you have any number of access/content control mechanisms. This is exactly what PKI (Public Key Infrastructure) addresses.
Fundamentally, you don't want to validate the machine, you're interested in the user. So forget network id, et al.
As others have pointed out, the obvious solution is Kerberos [mit.edu], from MIT. It was specifically designed to solve the problem you have. However, you have to build kerberos into your application, so it's not simple, and neither is the setup.
The second most popular solution are Personal Digital Certificates (NOT SSL Certificates). These are tied into Web Server authentication (for the most part), but can be used as a generic authentication mechanism. Depending on what you want, they can be relatively cheap and uncomplicated, or it can get pretty hairy. Look at Thawte [thawte.com] for a decent example - also, check out the iPlanet Certificate Server [iplanet.com] for some relevant info. Honestly, this is probably the easiest way to do what you want, IF you can do a web-based service. It won't be free, but if you scrape around, you can probably get it in place for a modest amount.
You can also look at things such as TIS or SecureID: these are more hard-core, since they're hardware token-based authentication schemes, and generally require custom software (though SSH supports TIS/SecureKey).
As a last resort, you might investigate VPN solutions, since, while they're not PKI in a true sense, they can provide network validation. S/WAN for Linux is a good, free thing here, and you might look at an IPSec implimentation, too.
Best of Luck.
-Erik