[ietf78-tech] auth token

Chris Elliott chelliot at pobox.com
Sat Jun 26 12:55:19 PDT 2010 

Why put more hardware in the data path? And use a known insecure method?

Let's use WPA/WPA2 with 802.1X and Radius. Obviously the AP's support this. The switches also support this on wired, although I don't think we need to authenticate wired as long as we check badges for folks coming into the terminal room.

Chris.


--
Chris Elliott


On Jun 26, 2010, at 3:45 PM, John Kemp <kemp at network-services.uoregon.edu> wrote:

> 
> I guess I should say "hello!", since the demon has now been invoked.
> My name is not Hans Kuhn, but we have been known to share a beer now
> and again...
> 
> To Randy's question, I thought that sounded like a simple and
> efficient idea, i.e. token exists already.
> 
> Same phone/codes as you used for the other phone meeting?
> US: +1 650 625 2888 ... ???
> 
> My plan for this week is to proof-of-concept and performance
> test MAC address filtering and redirection using ebtables and
> broute.  So that's what I'm working on.  Idea is that there are
> two nics on the box, multiple vlans in trunk on each side, matching
> multiple interfaces defined on the nics on the box,
> and two bridge interfaces carrying whichever vlans are chosen, any
> designated as "filtered" or designated as "clear".  So that's the
> general concept.  Bridging + mac address filtering.  Let me know
> if that sounds approximately correct for the requirements???
> 
> John Kemp (kemp at network-services.uoregon.edu)
> 
> 
> On 06/25/2010 11:24 PM, Jim Martin wrote:
>>    Sorry Randy ... just too much real life this week. Actually, John, Joel and Rob Nagy are working together on a first cut plan. I expect to discuss their results on the monday call so we can have something for Ray on the Tuesday admin call.
>> 
>>    - Jim
>> 
>> On Jun 25, 2010, at 10:48 PM, Randy Bush wrote:
>> 
>>>> of course we are too late to have the maastricht registration process
>>>> issue a token set we can use as auth.  but ...
>>>> 
>>>> as part of reg process, everyone is issued a reg number.  they get this
>>>> on their reg web page, on their email receipt, on the paper receipt they
>>>> get when they get their badge, ...
>>>> 
>>>> so, straw proposal
>>>> 
>>>> o use reg number for maastricht and, optionally, plan to issue our own
>>>>   reg token for beijing
>>>> 
>>>> o have paper bag full of reg numbers at the reg desk for those who
>>>>   lost theirs, want privacy, or whatever
>>> 
>>> i noticed the stunning response to this.  am i off the wall as usual?
>>> is there a better/easier/sexier hack?  as russ/ray will need to start
>>> socializing this with the users, we should come to some sort of plan.
>>> 
>>> randy
>>> _______________________________________________
>>> ietf78-tech mailing list
>>> ietf78-tech at daedelus.com
>>> http://www.daedelus.com/mailman/listinfo/ietf78-tech
>> 
>> 
>> 
>> _______________________________________________
>> ietf78-tech mailing list
>> ietf78-tech at daedelus.com
>> http://www.daedelus.com/mailman/listinfo/ietf78-tech
> 
> _______________________________________________
> ietf78-tech mailing list
> ietf78-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf78-tech

More information about the ietf78-tech mailing list