Privacy Details (WEP)
We have discounted both the WEP (Wired Equivalent Privacy) and private network-name approach towards denying unauthorized wireless network access because they are inherently weak schemes when used in conjunction with large user populations. This is because the “private” information (WEP key and/or network name) must be made available to all users on campus, which means that the information is no longer private.
Of course, once an unauthorized user obtains this information that user may then join the network, and the campus would have no way of knowing about it. Further, the current WEP schemes do not stop sniffing once a user has joined the wireless network.
While most wireless vendors are preparing to come out with a system most refer to as Dynamic WEP–a scheme whereby each user gets their own dynamically allocated WEP key–our need here to roll out a wireless network prevented us from waiting for it to come.
MAC Based Authentication
Consequently, we decided that we would focus on a MAC addressed- based authentication scheme for our wireless network. As an aside, one concern was that the MAC address could be changed. We discovered that the software which the vendors provide which may be used to accomplish this forces the user to set bit 6 of the MAC address (counting from the left, starting with bit 0). This is called the “local address bit”. We do not allow addresses with this bit to be registered. I’ll allow it is possible to hack Linux driver source to work around this, but it was the strongest scheme we could come up with based on the technology available when we made our plans in August and September, 2000.
In our particular implementation, we projected a single subnet via fiber and switches to the physical locations where wireless would be deployed in public ally accessible places (such as the student center and the library, for example). In this way, one would be able to use a wireless laptop in one location, close the lid to put it to sleep, move to another wireless location, open the lid, and continue working without having to change the network address. Also, by going through one subnet, we are able to use access control lists at the router that supports the subnet to control/suppress certain activity–such as running certain types of servers.
Next, we put put a DHCP and Radius server on the subnet which both have in their configuration files a list of pre-registered MAC addresses. When a wireless user walks into an open wireless zone, the access point contacts the Radius server to validate the MAC address. If it is validated, the user is now able to DHCP for an IP address on the wireless network. The DHCP server also validates the MAC address (or not). Lucent access points were selected because they support using the Radius protocol to authenticate MAC addresses from a centralized server.
We register the MAC addresses through a Web page which may only be accessed by possessing a valid campus network user-id and password, and the MAC addresses so registered are associated with this user-id in the database which is updated by the Web page. A daemon does adds and changes for the MAC addresses in the DHCP and Radius configuration files on a periodic basis, using the then current contents of the database. Network user-id’s are authenticated via a central MIT Kerberos server.
In this way we control who may use this network while at the same time knowing who is using the network. We keep historical logs so that a person may not register, commit an act which goes against network policy, then de-register quickly to avoid detection. The logs show what the database no longer does. Also, we may quickly turn off network access for any computer on the wireless network by simply removing the appropriate MAC address from the Radius configuration file, should the need arise.
Programmers in UC Irvine’s OIT (Office of Information Technology) group created the Web pages, registration-page support code, and background code for running and updating the servers.
For additional information about the UC Irvine wireless security scheme specifically, please contact
Garrett D. Hildebrand
OIT (Office of Information Technology)
Irvine, CA, 92697-2225