Gargoyle Forum

Eric wrote:I suspect this topic is popular because people are interested in weaknesses in the quota system (which is what the title refers to),...

I've given this subject a little more thought and noticed that Gargoyle supports WPA2 RADIUS. I've also noticed some organisations are now providing free RADIUS services.
Internet users are required to login for so many services nowadays eg. email, social network sites, etc. I don't think it would be too much to expect them to login via RADIUS to use the internet as well. This would overcome the vulnerability to MAC spoofing wouldn't it?
Why not take it one step further and include the option of associating all of Gargoyles quota and restriction features to authentic usernames when WPA2 RADIUS is selected?
At the moment you can assign a static IP to a MAC. If you include the ability to assign a static IP to an authentic username it wouldn't matter which device the user used. If RADIUS returned "yes" username authenticated the static IP associated with that username would be then be allocated to that device. This would obviate the need for a captive portal etc. and make the WLAN very secure.
Is this feasible?

What you describe is the definition of a captive portal with RADIUS authentication.

It is true that if I implement it such that users get static IPs it would be a lot easier, but this has several drawbacks. Setting a static IP prevents a user from logging in from two computers at once and also limits the total number of allowed usernames. Therefore my plan is to eventually make IP assignment dynamic, even though this is harder.

Eric: Thanks for your comment. Dynamic IP assignment sounds very tricky. I wish you well.

Just to be clear -- dynamic IP assignment by itself is easy (just use dhcp!), but keeping track of users when the ip of a given user is dynamic will be tricky.

Thanks for the clarification. That's what I understood. And I think it's a great idea to tie quota to username in this way.
I'd also like to clarify my thinking regarding the captive portal idea. In short I'm not in favour of it.
I put forward the idea of using WPA2 RADIUS because users can use it immediately to overcome the problem of MAC spoofing. They don't need to wait for a captive portal to be implemented before starting to use it.
I'm not in favour of a captive portal because of the limitations stated here. One of these limitations is that a captive portal is vulnerable to MAC spoofing. This is the very thing this topic is trying to address.
Therefore I'd suggest that resources which would otherwise be used for a captive portal could be put to better use.
Having to rely on a RADIUS service based in "the cloud" is not ideal. So instead of RADIUS why not implement something like tinyPEAP in the Gargoyle router?
I'd suggest that the main market for Gargoyle is the household. If so the "household administrator" could ensure that user's devices are setup for PEAP.

RADIUS is only an authentication protocol. It does not solve the problem of MAC spoofing.

Captive portal partially solves the problem -- mac spoofing will still work but only if another user is logged in. The attacker can sniff packets from that user and clone the mac, but after that user logs out, the mac is no longer valid and the attacker will need to re-sniff for packets all over again. This is an improvement over static IPs assigned to MAC addresses, which doesn't require the attacker to re-sniff every time.

Oh. I was under the impression that under WPA2 RADIUS each connection had different encryption. Thanks for educating me......again.

Eric: Congradulations on putting your pre-loaded routers up for sale. You mentioned that Lena uses a bridged router to connect to a AP router. I seem to remember reading somewhere that an AP and a bridge can have different passwords (encryption). Have I got this right? Could you explain how this can be set up?

An AP and a bridge can't have different encryption/passwords. It may be theoretically possible for a repeater to have different encryption/passwords but Gargoyle doesn't currently support this. You can setup ap+client (similar to a repeater, but routed instead of bridged) with different encryption though.

A bridge connects as a client to an AP, so it has to use the same encryption. A repeater or AP+Client re-broadcasts the signal.

In Lena's case she doesn't need the signal to be amplified/re-broadcast, so it's just a bridge. The AP is in one room and her PC (which has an ethernet port but no wireless card) is about 50 feet away. Instead of running an ugly ethernet cord through the middle of the apartment, a wireless bridge in the same room as her pc receives the signal from the AP, and connects to her PC.

Oh, I overlooked the fact that it is still possible to purchase desktop PCs without a wireless card. Thanks for clarifying the situation regarding Lena.

You can setup ap+client (similar to a repeater, but routed instead of bridged) with different encryption though.

Could you please clarify this statement. I read through the guide found here but I figure that for a client to be able to connect to the AP (ie. Anubis) you would have to supply the same password that any other client would need to provide. (I have a feeling that this is going to turn out to be a silly question .......again).