802.11x with signon and password?

[capybara]

i want to config an 802.11x network with signon and passwords?
or an an alternative, can i give clients an ip address to access the network, and so
be able to deny access to those without an ip address on my "accepted ip addresses
list"?
>>>>im considering using
server: win2k server edition
protocol: 802.11g
clients desktop pc card: linksys wmp56g
clients with laptops: linksys wpc54g
maximum number of clients: about 20
access point: wrt54g (is this necessary?)
router: is this necessary?
uplinked internet : wireless T1 equivalent = 1.5 mbps
===============================================================
part 2: can i bandwidth limit clients = either to a fixed limit of for example 10% of our bandwidth
which would limit them to 150kbps each, or dynamically, for example, no limit when the network is used lightly all the way down to 75kbps is all 20 clients are online at the same time?
=================================
ps: if its better to use linux for the server, i can do that. ive used mandrake, redhat, and
libranet (a debian dristo) but never freebsd or openbsd.

 

[ScottMac]

I believe you need a RADIUS server to authenticate 802.1x.

freeRADIUS works well for me. (www.freeradius.org)

If you bring it up on *nix, then you can also generate your own certs (if you want to go that route) ... otherwise, you can control any parameters that RADIUS can control (many things ...check out freeRADIUS).

Good Luck

Scott

 

[CZroe]

You could set up VPN. Basically, leave the wireless network open to anyoneand secure access to the real network with VPN. A passerby that sniffs your SSID or gets your WEP key still won't be able to get through that (Provided your other clients aren't sharing network access) and probably can't do much of anything but interfere with bandwidth.

I pulled up to Starbucks and checked it out. All domain names forward you to their login page. Nice

 

[capybara]

Originally posted by: CZroe
You could set up VPN. Basically, leave the wireless network open to anyoneand secure access to the real network with VPN.

but there is no "real network" if you mean a wired network portion.
the whole thing is wireless. 20 wireless 802.11g clients
sharing a T1 uplink.
my goal is to keep those people who arent part of our group off our T1 bandwidth.
one possibility: connect the wireless access point to the WAN port of a linksys BEFVP41
router. this was suggested two years ago
here

 

[CZroe]

Well, the VPN server itself could be the only real network node of the real network

Also, most real wireless routers and access points can filter MAC addresses. Most wireless cards have the unique MAC addresses printed right on the label just to simplify setting this up. In most cases, you can even tell it to assign specific IP addresses to specific MAC addresses so manually setting them up isn't a problem. Besides, anyone can "spoof" an IP address but it usually takes a firmware hack to spoof a MAC address.