Order Tray | Contact Us | Home | SIG Lists

[Ham-80211] Access control suggestions

Steven Phillips steven_phillips at yahoo.com
Mon Nov 1 17:31:28 UTC 2004

I just did a little skimming through the archives and
saw a lot of discussion regarding WEP and access
points.  I agree that use of WEP for access control
and not to obscure the messages is not in violation of
FCC rules.  Here is my suggestion regarding potection
of the WEP keys.

The ARRL has a system implace for their log book of
the world for credential verification.  QSL.NET (?)
has similiar provisions.  Why can't we utilize one of
the systems, or one of our own, to maintain a database
of these keys.  Ok great, that gives us a way to make
the keys available to the ham public, how do we keep
them from making it available to the general public? 
In the instance of the W54RT, it can run linux.  Set
up a small script and add it to a cron job that will
change the WEP key every so often and then upload that
information to the database.  You don't have an
accesspoint that can run linux?  No problem, set up a
486 or other junk computer with a small distribution
of linux to run a wirless nic in AD-HOC mode.  Another
key feature is to disable the built in DHCP server and
statically assign the ip to an AMRPNET IP address.

Another suggestion is to use a system similiar to
lessnetworks (www.lessnetworks.com) and leave the
access point open to the public.  Less networks has a
free linux distro for WiFI Hotspots.  The linux box
goes between the AP and the main network an acts as an
authentication proxy server.  Similar to what T-Mobile
Hotspot does.  Link these systems together to a
central user database as it is designed to do.  The
ARRL could host this database and use their credential
verification system to verify legitimacy of the users.

That still leaves one question open.  The AP is still
being used under part 97 rules.  Is using static IP
assignments under AMPERNET sufficient access
restriction?  Part 15 users can still connect to the
AP, but they will not get any network access and can't
do anything beyond connecting to the AP.  This is
because they will not have an IP address.  The only
exception I can think of is if the general public
discovers the AMPRNET IP scheme and assigns themselves
an IP address?  Simple solution.  When a person
applies for access to the network, require them to
provide the unique MAC address of their WLAN card(s)
and do a MAC check during authentication.  If a person
does spoof an IP, they still won't have access because
they do not have an authorized MAC address.

So, there's my $20 worth.  Let me know what you think
and if you have any thoughts about my suggestions.


Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 

More information about the ham-80211 mailing list